CVE-2019-14452

Description

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

References

Link	Tags
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936	third party advisory
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355	third party advisory
https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4	third party advisory patch
https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4	third party advisory patch
https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f	third party advisory patch
https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16	third party advisory release notes
https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5	third party advisory
https://usn.ubuntu.com/4085-1/	third party advisory vendor advisory
https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/

Frequently Asked Questions

What is the severity of CVE-2019-14452?: CVE-2019-14452 has been scored as a high severity vulnerability.
How to fix CVE-2019-14452?: To fix CVE-2019-14452, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-14452 being actively exploited in the wild?: It is possible that CVE-2019-14452 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~3% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions