WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:P/A:P
Vendors Products
Redhat
  • Wildfly Core
  • Jboss Enterprise Application Platform
  • Enterprise Linux
  • Virtualization

Configuration 1 [-]

cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Configuration 4 [-]

OR cpe:2.3:a:redhat:wildfly_core:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:wildfly_core:6.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:redhat:wildfly_core:6.0.0:alpha2:*:*:*:*:*:*
References
Link Resource
https://access.redhat.com/errata/RHSA-2018:2276 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2277 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2279 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2423 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2424 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2425 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2428 Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2643 Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:0877 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10862 Issue Tracking Vendor Advisory
https://snyk.io/research/zip-slip-vulnerability Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2018-07-27T14:00:00

Updated: 2019-04-24T21:06:03

Reserved: 2018-05-09T00:00:00

Link: CVE-2018-10862

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2018-07-27T14:29:00.300

Modified: 2019-04-26T15:08:27.273

Link: CVE-2018-10862

JSON object: View

cve-icon Redhat Information

No data.

CWE