{"id": "CESA-2018:1836", "bulletinFamily": "unix", "title": "plexus security update", "description": "**CentOS Errata and Security Advisory** CESA-2018:1836\n\n\nThe Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this issue.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2018-June/034960.html\n\n**Affected packages:**\nplexus-archiver\nplexus-archiver-javadoc\n\n**Upstream details at:**\n", "published": "2018-06-14T15:10:15", "modified": "2018-06-14T15:10:15", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "http://lists.centos.org/pipermail/centos-announce/2018-June/034960.html", "reporter": "CentOS Project", "references": ["http://steadfast.net/", "https://access.redhat.com/errata/RHSA-2018:1836"], "cvelist": ["CVE-2018-1002200"], "type": "centos", "lastseen": "2020-12-08T03:39:26", "edition": 5, "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-1002200"]}, {"type": "oraclelinux", "idList": ["ELSA-2018-1836"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704227", "OPENVAS:1361412562310874677", "OPENVAS:1361412562310882911", "OPENVAS:1361412562310874676"]}, {"type": "nessus", "idList": ["FEDORA_2018-6C55E1F79C.NASL", "CENTOS_RHSA-2018-1836.NASL", "FEDORA_2018-7A9A2F6EC0.NASL", "DEBIAN_DSA-4227.NASL", "REDHAT-RHSA-2018-1836.NASL", "ORACLELINUX_ELSA-2018-1836.NASL", "SL_20180612_PLEXUS_ARCHIVER_ON_SL7_X.NASL", "NEWSTART_CGSL_NS-SA-2019-0041_PLEXUS-ARCHIVER.NASL", "AL2_ALAS-2018-1043.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4227-1:1B227"]}, {"type": "fedora", "idList": ["FEDORA:8E2B260F8760", "FEDORA:26B5D613FFD4"]}, {"type": "redhat", "idList": ["RHSA-2018:1837", "RHSA-2018:1836"]}, {"type": "amazon", "idList": ["ALAS2-2018-1043"]}, {"type": "f5", "idList": ["F5:K64709522"]}], "modified": "2020-12-08T03:39:26", "rev": 2}, "score": {"value": 7.0, "vector": "NONE", "modified": "2020-12-08T03:39:26", "rev": 2}, "vulnersScore": 7.0}, "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "arch": "noarch", "operator": "lt", "packageFilename": "plexus-archiver-2.4.2-5.el7_5.noarch.rpm", "packageName": "plexus-archiver", "packageVersion": "2.4.2-5.el7_5"}, {"OS": "CentOS", "OSVersion": "7", "arch": "any", "operator": "lt", "packageFilename": "plexus-archiver-2.4.2-5.el7_5.src.rpm", "packageName": "plexus-archiver", "packageVersion": "2.4.2-5.el7_5"}, {"OS": "CentOS", "OSVersion": "7", "arch": "noarch", "operator": "lt", "packageFilename": "plexus-archiver-javadoc-2.4.2-5.el7_5.noarch.rpm", "packageName": "plexus-archiver-javadoc", "packageVersion": "2.4.2-5.el7_5"}], "scheme": null}

{"cve": [{"lastseen": "2021-02-02T06:52:23", "description": "plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-25T17:29:00", "title": "CVE-2018-1002200", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1002200"], "modified": "2019-10-09T23:32:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-1002200", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1002200", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2019-08-13T18:46:10", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this issue.", "modified": "2018-06-12T18:20:21", "published": "2018-06-12T18:16:58", "id": "RHSA-2018:1836", "href": "https://access.redhat.com/errata/RHSA-2018:1836", "type": "redhat", "title": "(RHSA-2018:1836) Important: plexus-archiver security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-08-13T18:46:48", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this issue.", "modified": "2018-06-13T01:28:18", "published": "2018-06-12T18:38:33", "id": "RHSA-2018:1837", "href": "https://access.redhat.com/errata/RHSA-2018:1837", "type": "redhat", "title": "(RHSA-2018:1837) Important: rh-maven33-plexus-archiver and rh-maven35-plexus-archiver security update", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "amazon": [{"lastseen": "2020-11-10T12:34:38", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "**Issue Overview:**\n\nA path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names. A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations.([CVE-2018-1002200 __](<https://access.redhat.com/security/cve/CVE-2018-1002200>))\n\n \n**Affected Packages:** \n\n\nplexus-archiver\n\n \n**Issue Correction:** \nRun _yum update plexus-archiver_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n plexus-archiver-2.4.2-5.amzn2.noarch \n plexus-archiver-javadoc-2.4.2-5.amzn2.noarch \n \n src: \n plexus-archiver-2.4.2-5.amzn2.src \n \n \n", "edition": 1, "modified": "2018-06-20T19:57:00", "published": "2018-06-20T19:57:00", "id": "ALAS2-2018-1043", "href": "https://alas.aws.amazon.com/AL2/ALAS-2018-1043.html", "title": "Important: plexus-archiver", "type": "amazon", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an application server which is like a J2EE application server, without all the baggage. ", "modified": "2018-06-14T18:18:27", "published": "2018-06-14T18:18:27", "id": "FEDORA:8E2B260F8760", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: plexus-archiver-3.4-4.fc27", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "The Plexus project seeks to create end-to-end developer tools for writing applications. At the core is the container, which can be embedded or for a full scale application server. There are many reusable components for hibernate, form processing, jndi, i18n, velocity, etc. Plexus also includes an application server which is like a J2EE application server, without all the baggage. ", "modified": "2018-06-14T19:18:19", "published": "2018-06-14T19:18:19", "id": "FEDORA:26B5D613FFD4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: plexus-archiver-3.5-6.fc28", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-07T10:18:44", "description": "Security fix: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nA path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable configurations.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue. External References:\nhttps://snyk.io/research/zip-slip-vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 16, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-15T00:00:00", "title": "Fedora 27 : plexus-archiver (2018-6c55e1f79c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2018-06-15T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:27", "p-cpe:/a:fedoraproject:fedora:plexus-archiver"], "id": "FEDORA_2018-6C55E1F79C.NASL", "href": "https://www.tenable.com/plugins/nessus/110538", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-6c55e1f79c.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110538);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"FEDORA\", value:\"2018-6c55e1f79c\");\n\n script_name(english:\"Fedora 27 : plexus-archiver (2018-6c55e1f79c)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nA path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable configurations.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue. External References:\nhttps://snyk.io/research/zip-slip-vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-6c55e1f79c\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://snyk.io/research/zip-slip-vulnerability\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"plexus-archiver-3.4-4.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-18T02:48:37", "description": "Security Fix(es) :\n\n - plexus-archiver: arbitrary file write vulnerability /\n arbitrary code execution using a specially crafted zip\n file (CVE-2018-1002200)", "edition": 12, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-13T00:00:00", "title": "Scientific Linux Security Update : plexus-archiver on SL7.x (noarch) (20180612)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2018-06-13T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:plexus-archiver-javadoc", "x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:plexus-archiver"], "id": "SL_20180612_PLEXUS_ARCHIVER_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/110508", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110508);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2018-1002200\");\n\n script_name(english:\"Scientific Linux Security Update : plexus-archiver on SL7.x (noarch) (20180612)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - plexus-archiver: arbitrary file write vulnerability /\n arbitrary code execution using a specially crafted zip\n file (CVE-2018-1002200)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1806&L=scientific-linux-errata&F=&S=&P=2168\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b31faf2b\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected plexus-archiver and / or plexus-archiver-javadoc\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:plexus-archiver-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", reference:\"plexus-archiver-2.4.2-5.el7_5\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"plexus-archiver-javadoc-2.4.2-5.el7_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver / plexus-archiver-javadoc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-17T12:02:11", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has plexus-archiver packages installed that are\naffected by a vulnerability:\n\n - A path traversal vulnerability has been discovered in\n plexus-archiver when extracting a carefully crafted zip\n file which holds path traversal file names. A remote\n attacker could use this vulnerability to write files\n outside the target directory and overwrite existing\n files with malicious code or vulnerable configurations.\n (CVE-2018-1002200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 17, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2019-08-12T00:00:00", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : plexus-archiver Vulnerability (NS-SA-2019-0041)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2019-08-12T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2019-0041_PLEXUS-ARCHIVER.NASL", "href": "https://www.tenable.com/plugins/nessus/127216", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2019-0041. The text\n# itself is copyright (C) ZTE, Inc.\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127216);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2018-1002200\");\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : plexus-archiver Vulnerability (NS-SA-2019-0041)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by a vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has plexus-archiver packages installed that are\naffected by a vulnerability:\n\n - A path traversal vulnerability has been discovered in\n plexus-archiver when extracting a carefully crafted zip\n file which holds path traversal file names. A remote\n attacker could use this vulnerability to write files\n outside the target directory and overwrite existing\n files with malicious code or vulnerable configurations.\n (CVE-2018-1002200)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2019-0041\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL plexus-archiver packages. Note that updated packages may not be available yet. Please\ncontact ZTE for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1002200\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/ZTE-CGSL/release\");\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, \"NewStart Carrier Grade Server Linux\");\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item(\"Host/ZTE-CGSL/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"NewStart Carrier Grade Server Linux\", cpu);\n\nflag = 0;\n\npkgs = {\n \"CGSL CORE 5.04\": [\n \"plexus-archiver-2.4.2-5.el7_5\",\n \"plexus-archiver-javadoc-2.4.2-5.el7_5\"\n ],\n \"CGSL MAIN 5.04\": [\n \"plexus-archiver-2.4.2-5.el7_5\",\n \"plexus-archiver-javadoc-2.4.2-5.el7_5\"\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:\"ZTE \" + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-07T10:18:54", "description": "Security fix: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nA path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable configurations.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue. External References:\nhttps://snyk.io/research/zip-slip-vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 11, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : plexus-archiver (2018-7a9a2f6ec0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:plexus-archiver", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-7A9A2F6EC0.NASL", "href": "https://www.tenable.com/plugins/nessus/120553", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-7a9a2f6ec0.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120553);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"FEDORA\", value:\"2018-7a9a2f6ec0\");\n\n script_name(english:\"Fedora 28 : plexus-archiver (2018-7a9a2f6ec0)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nA path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable configurations.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue. External References:\nhttps://snyk.io/research/zip-slip-vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7a9a2f6ec0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://snyk.io/research/zip-slip-vulnerability\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"plexus-archiver-3.5-6.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T01:35:55", "description": "An update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.", "edition": 25, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-15T00:00:00", "title": "CentOS 7 : plexus-archiver (CESA-2018:1836)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:plexus-archiver-javadoc", "p-cpe:/a:centos:centos:plexus-archiver"], "id": "CENTOS_RHSA-2018-1836.NASL", "href": "https://www.tenable.com/plugins/nessus/110536", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1836 and \n# CentOS Errata and Security Advisory 2018:1836 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110536);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"RHSA\", value:\"2018:1836\");\n\n script_name(english:\"CentOS 7 : plexus-archiver (CESA-2018:1836)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2018-June/022922.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3923376f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1002200\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:plexus-archiver-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"plexus-archiver-2.4.2-5.el7_5\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"plexus-archiver-javadoc-2.4.2-5.el7_5\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver / plexus-archiver-javadoc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T01:19:14", "description": "A path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable\nconfigurations.(CVE-2018-1002200)", "edition": 23, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-29T00:00:00", "title": "Amazon Linux 2 : plexus-archiver (ALAS-2018-1043)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:plexus-archiver", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:plexus-archiver-javadoc"], "id": "AL2_ALAS-2018-1043.NASL", "href": "https://www.tenable.com/plugins/nessus/110782", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2018-1043.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110782);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/09/19 10:04:09\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"ALAS\", value:\"2018-1043\");\n\n script_name(english:\"Amazon Linux 2 : plexus-archiver (ALAS-2018-1043)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A path traversal vulnerability has been discovered in plexus-archiver\nwhen extracting a carefully crafted zip file which holds path\ntraversal file names. A remote attacker could use this vulnerability\nto write files outside the target directory and overwrite existing\nfiles with malicious code or vulnerable\nconfigurations.(CVE-2018-1002200)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2018-1043.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update plexus-archiver' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:plexus-archiver-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"plexus-archiver-2.4.2-5.amzn2\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"plexus-archiver-javadoc-2.4.2-5.amzn2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver / plexus-archiver-javadoc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T01:57:02", "description": "Danny Grander discovered a directory traversal flaw in\nplexus-archiver, an Archiver plugin for the Plexus compiler system,\nallowing an attacker to overwrite any file writable by the extracting\nuser via a specially crafted Zip archive.", "edition": 25, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-13T00:00:00", "title": "Debian DSA-4227-1 : plexus-archiver - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:plexus-archiver", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4227.NASL", "href": "https://www.tenable.com/plugins/nessus/110503", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4227. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110503);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/11/13 12:30:47\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"DSA\", value:\"4227\");\n\n script_name(english:\"Debian DSA-4227-1 : plexus-archiver - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Danny Grander discovered a directory traversal flaw in\nplexus-archiver, an Archiver plugin for the Plexus compiler system,\nallowing an attacker to overwrite any file writable by the extracting\nuser via a specially crafted Zip archive.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900953\"\n );\n # https://security-tracker.debian.org/tracker/source-package/plexus-archiver\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e0f6b9d5\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/plexus-archiver\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/plexus-archiver\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4227\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the plexus-archiver packages.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 1.2-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.2-1+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libplexus-archiver-java\", reference:\"1.2-1+deb8u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libplexus-archiver-java\", reference:\"2.2-1+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T05:09:50", "description": "From Red Hat Security Advisory 2018:1836 :\n\nAn update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.", "edition": 23, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-13T00:00:00", "title": "Oracle Linux 7 : plexus-archiver (ELSA-2018-1836)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:plexus-archiver", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:plexus-archiver-javadoc"], "id": "ORACLELINUX_ELSA-2018-1836.NASL", "href": "https://www.tenable.com/plugins/nessus/110505", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2018:1836 and \n# Oracle Linux Security Advisory ELSA-2018-1836 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110505);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/27 13:00:38\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"RHSA\", value:\"2018:1836\");\n\n script_name(english:\"Oracle Linux 7 : plexus-archiver (ELSA-2018-1836)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2018:1836 :\n\nAn update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2018-June/007777.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected plexus-archiver packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:plexus-archiver-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"plexus-archiver-2.4.2-5.el7_5\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"plexus-archiver-javadoc-2.4.2-5.el7_5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver / plexus-archiver-javadoc\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-03-01T05:44:35", "description": "An update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.", "edition": 25, "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}, "published": "2018-06-13T00:00:00", "title": "RHEL 7 : plexus-archiver (RHSA-2018:1836)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "modified": "2021-03-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:plexus-archiver", "cpe:/o:redhat:enterprise_linux:7.7", "cpe:/o:redhat:enterprise_linux:7.5", "p-cpe:/a:redhat:enterprise_linux:plexus-archiver-javadoc", "cpe:/o:redhat:enterprise_linux:7", "cpe:/o:redhat:enterprise_linux:7.6"], "id": "REDHAT-RHSA-2018-1836.NASL", "href": "https://www.tenable.com/plugins/nessus/110507", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:1836. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110507);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-1002200\");\n script_xref(name:\"RHSA\", value:\"2018:1836\");\n\n script_name(english:\"RHEL 7 : plexus-archiver (RHSA-2018:1836)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for plexus-archiver is now available for Red Hat Enterprise\nLinux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Plexus project provides a full software stack for creating and\nexecuting software projects. Based on the Plexus container, the\napplications can utilise component-oriented programming to build\nmodular, reusable components that can easily be assembled and reused.\nThe plexus-archiver component provides functions to create and extract\narchives.\n\nSecurity Fix(es) :\n\n* plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, and other related information, refer to the CVE page(s)\nlisted in the References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this\nissue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://snyk.io/research/zip-slip-vulnerability\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:1836\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1002200\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected plexus-archiver and / or plexus-archiver-javadoc\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:plexus-archiver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:plexus-archiver-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7.7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:1836\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"plexus-archiver-2.4.2-5.el7_5\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"plexus-archiver-javadoc-2.4.2-5.el7_5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"plexus-archiver / plexus-archiver-javadoc\");\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-07-04T18:55:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "description": "Danny Grander discovered a directory traversal flaw in plexus-archiver,\nan Archiver plugin for the Plexus compiler system, allowing an attacker\nto overwrite any file writable by the extracting user via a specially\ncrafted Zip archive.", "modified": "2019-07-04T00:00:00", "published": "2018-06-12T00:00:00", "id": "OPENVAS:1361412562310704227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704227", "type": "openvas", "title": "Debian Security Advisory DSA 4227-1 (plexus-archiver - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4227-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704227\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-1002200\");\n script_name(\"Debian Security Advisory DSA 4227-1 (plexus-archiver - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-12 00:00:00 +0200 (Tue, 12 Jun 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4227.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB[89]\");\n script_tag(name:\"affected\", value:\"plexus-archiver on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the oldstable distribution (jessie), this problem has been fixed\nin version 1.2-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.2-1+deb9u1.\n\nWe recommend that you upgrade your plexus-archiver packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/plexus-archiver\");\n script_tag(name:\"summary\", value:\"Danny Grander discovered a directory traversal flaw in plexus-archiver,\nan Archiver plugin for the Plexus compiler system, allowing an attacker\nto overwrite any file writable by the extracting user via a specially\ncrafted Zip archive.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libplexus-archiver-java\", ver:\"2.2-1+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libplexus-archiver-java\", ver:\"1.2-1+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "description": "Check the version of plexus-archiver", "modified": "2019-03-08T00:00:00", "published": "2018-06-15T00:00:00", "id": "OPENVAS:1361412562310882911", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882911", "type": "openvas", "title": "CentOS Update for plexus-archiver CESA-2018:1836 centos7", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_CESA-2018_1836_plexus-archiver_centos7.nasl 14058 2019-03-08 13:25:52Z cfischer $\n#\n# CentOS Update for plexus-archiver CESA-2018:1836 centos7\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.882911\");\n script_version(\"$Revision: 14058 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-08 14:25:52 +0100 (Fri, 08 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-15 05:47:33 +0200 (Fri, 15 Jun 2018)\");\n script_cve_id(\"CVE-2018-1002200\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"CentOS Update for plexus-archiver CESA-2018:1836 centos7\");\n script_tag(name:\"summary\", value:\"Check the version of plexus-archiver\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Plexus project provides a full software\n stack for creating and executing software projects. Based on the Plexus\n container, the applications can utilise component-oriented programming to build\n modular, reusable components that can easily be assembled and reused. The\n plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n * plexus-archiver: arbitrary file write vulnerability / arbitrary code\nexecution using a specially crafted zip file (CVE-2018-1002200)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, and other related information, refer to the CVE page(s) listed in\nthe References section.\n\nRed Hat would like to thank Danny Grander (Snyk) for reporting this issue.\");\n script_tag(name:\"affected\", value:\"plexus-archiver on CentOS 7\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"CESA\", value:\"2018:1836\");\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2018-June/022922.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS7\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS7\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~2.4.2~5.el7_5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver-javadoc\", rpm:\"plexus-archiver-javadoc~2.4.2~5.el7_5\", rls:\"CentOS7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-15T00:00:00", "id": "OPENVAS:1361412562310874677", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874677", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2018-6c55e1f79c", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_6c55e1f79c_plexus-archiver_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for plexus-archiver FEDORA-2018-6c55e1f79c\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874677\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-15 05:59:22 +0200 (Fri, 15 Jun 2018)\");\n script_cve_id(\"CVE-2018-1002200\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2018-6c55e1f79c\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'plexus-archiver'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"plexus-archiver on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6c55e1f79c\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I7XAAUCTHL2PDJHW5Q2IYATOAXX4AFFU\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~3.4~4.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1002200"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-06-15T00:00:00", "id": "OPENVAS:1361412562310874676", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874676", "type": "openvas", "title": "Fedora Update for plexus-archiver FEDORA-2018-7a9a2f6ec0", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7a9a2f6ec0_plexus-archiver_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for plexus-archiver FEDORA-2018-7a9a2f6ec0\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874676\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-15 05:59:19 +0200 (Fri, 15 Jun 2018)\");\n script_cve_id(\"CVE-2018-1002200\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for plexus-archiver FEDORA-2018-7a9a2f6ec0\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'plexus-archiver'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"plexus-archiver on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7a9a2f6ec0\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GZQQJQ2AQA6TR7BYV4DBSHZ3DE7ADWM3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"plexus-archiver\", rpm:\"plexus-archiver~3.5~6.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2020-08-12T01:02:49", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4227-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nJune 12, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : plexus-archiver\nCVE ID : CVE-2018-1002200\nDebian Bug : 900953\n\nDanny Grander discovered a directory traversal flaw in plexus-archiver,\nan Archiver plugin for the Plexus compiler system, allowing an attacker\nto overwrite any file writable by the extracting user via a specially\ncrafted Zip archive.\n\nFor the oldstable distribution (jessie), this problem has been fixed\nin version 1.2-1+deb8u1.\n\nFor the stable distribution (stretch), this problem has been fixed in\nversion 2.2-1+deb9u1.\n\nWe recommend that you upgrade your plexus-archiver packages.\n\nFor the detailed security status of plexus-archiver please refer to its\nsecurity tracker page at:\nhttps://security-tracker.debian.org/tracker/plexus-archiver\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 18, "modified": "2018-06-12T20:48:48", "published": "2018-06-12T20:48:48", "id": "DEBIAN:DSA-4227-1:1B227", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00156.html", "title": "[SECURITY] [DSA 4227-1] plexus-archiver security update", "type": "debian", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "oraclelinux": [{"lastseen": "2020-10-22T17:09:29", "bulletinFamily": "unix", "cvelist": ["CVE-2018-1002200"], "description": "[0:2.4.2-5]\n- Fix arbitrary file write vulnerability\n- Resolves: CVE-2018-1002200", "edition": 4, "modified": "2018-06-12T00:00:00", "published": "2018-06-12T00:00:00", "id": "ELSA-2018-1836", "href": "http://linux.oracle.com/errata/ELSA-2018-1836.html", "title": "plexus-archiver security update", "type": "oraclelinux", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "f5": [{"lastseen": "2020-04-06T22:39:28", "bulletinFamily": "software", "cvelist": ["CVE-2018-1002207", "CVE-2018-1002205", "CVE-2018-1002200", "CVE-2018-1002203", "CVE-2018-1002204", "CVE-2018-1002208", "CVE-2018-1002206", "CVE-2018-1002202", "CVE-2018-1002201", "CVE-2018-1002209"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-08-04T01:40:00", "published": "2018-08-04T01:40:00", "id": "F5:K64709522", "href": "https://support.f5.com/csp/article/K64709522", "title": "Multiple Zip Slip vulnerabilities ", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}]}