CVE-2018-17297: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

October 17, 2018 (updated September 17, 2021)

The unzip function in ZipUtil.java in Hutool before 4.1.12 allows remote attackers to overwrite arbitrary files via directory traversal sequences in a filename within a ZIP archive.

References

github.com/advisories/GHSA-rhq2-2574-78mc
github.com/looly/hutool/issues/162
nvd.nist.gov/vuln/detail/CVE-2018-17297

Code Behaviors & Features

Detect and mitigate CVE-2018-17297 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →