CVE-2014-9485 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive.

No CVSS v4.0

No CVSS v3.1

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Minizip Project	Minizip

Configuration 1 [-]

cpe:2.3:a:minizip_project:minizip:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2014/12/31/11
http://www.openwall.com/lists/oss-security/2015/01/03/16
http://www.openwall.com/lists/oss-security/2024/01/24/10
http://www.securityfocus.com/bid/71846
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-01-16T00:00:00

Updated: 2024-08-06T13:47:41.174Z

Reserved: 2015-01-03T00:00:00

Link: CVE-2014-9485

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-01-16T19:29:00.497

Modified: 2024-11-21T02:21:00.003

Link: CVE-2014-9485

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2014-9485", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-06T13:47:41.174Z", "dateReserved": "2015-01-03T00:00:00", "datePublished": "2018-01-16T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-01-24T21:06:18.110351"}, "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"name": "71846", "tags": ["vdb-entry"], "url": "http://www.securityfocus.com/bid/71846"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321"}, {"name": "[oss-security] 20141231 cve request: miniunzip directory traversal", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2014/12/31/11"}, {"name": "[oss-security] 20150103 Re: cve request: miniunzip directory traversal", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/16"}, {"name": "[oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "datePublic": "2014-12-31T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T13:47:41.174Z"}, "title": "CVE Program Container", "references": [{"name": "71846", "tags": ["vdb-entry", "x_transferred"], "url": "http://www.securityfocus.com/bid/71846"}, {"url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321", "tags": ["x_transferred"]}, {"name": "[oss-security] 20141231 cve request: miniunzip directory traversal", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2014/12/31/11"}, {"name": "[oss-security] 20150103 Re: cve request: miniunzip directory traversal", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/16"}, {"name": "[oss-security] 20240124 Re: CVE-2023-45853: overflows in MiniZip in zlib through 1.3", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:minizip_project:minizip:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D7374D9-360F-49AF-98CB-E7E6E85B0956", "versionEndIncluding": "1.1-4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry in a ZIP archive."}, {"lang": "es", "value": "Vulnerabilidad de salto de directorio en la funci\u00f3n do_extract_currentfile en miniunz.c en miniunzip en minizip en versiones anteriores a la 1.1-5 podr\u00eda permitir que atacantes remotos escriban en archivos arbitrarios mediante una entrada manipulada en un archivo ZIP."}], "id": "CVE-2014-9485", "lastModified": "2024-11-21T02:21:00.003", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-16T19:29:00.497", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2014/12/31/11"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/16"}, {"source": "cve@mitre.org", "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/71846"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2014/12/31/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2015/01/03/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/01/24/10"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/71846"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774321"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}