{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "3.0.0" }, { "fixed": "3.3.2" } ] }, "events": [ { "introduced": "edeadbb1a3884e1a487283bcb73e823333fd1a10" }, { "fixed": "c7eae9dcbcb1f0a0ce965184868097babf73d415" } ], "repo": "https://github.com/mholt/archiver", "type": "GIT" } ] } ], "details": "All versions of archiver allow attacker to perform a Zip Slip attack via the \"unarchive\" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.", "id": "CVE-2019-10743", "modified": "2026-04-01T23:09:19.278416754Z", "published": "2019-10-29T19:15:16.610Z", "references": [ { "type": "ADVISORY", "url": "https://snyk.io/research/zip-slip-vulnerability" }, { "type": "ADVISORY", "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728%2C" }, { "type": "REPORT", "url": "https://github.com/mholt/archiver/pull/169" }, { "type": "EVIDENCE", "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728" } ], "related": [ "SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728,", "SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728" ], "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "type": "CVSS_V3" } ] }