CVE-2015-0557: Path Traversal
First published: Fri Jan 02 2015(Updated: )
Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Arj Software Arj Archiver | <=3.10.22 | |
| Fedoraproject Fedora | =20 | |
| Fedoraproject Fedora | =21 | |
| Fedoraproject Fedora | =22 | |
| debian/arj | <=3.10.22-9<=3.10.22-10<=3.10.22-12 | 3.10.22-13 3.10.22-10+deb7u1 3.10.22-9+deb6u1 |
| debian/arj | 3.10.22-24 3.10.22-26 3.10.22-27 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bitbucket.org/jwilk/path-traversal-samples
- https://security-tracker.debian.org/tracker/CVE-2015-0557
- https://security-tracker.debian.org/tracker/CVE-2015-0556
- https://security-tracker.debian.org/tracker/CVE-2015-2782
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154518.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154605.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155011.html
- http://www.debian.org/security/2015/dsa-3213
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:201
- http://www.openwall.com/lists/oss-security/2015/01/03/5
- http://www.openwall.com/lists/oss-security/2015/01/05/9
- http://www.securityfocus.com/bid/71895
- https://security.gentoo.org/glsa/201612-15
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/description
- collector/debian-bugs
- source/Debian
- alias/CVE-2015-0557
- agent/software-canonical-lookup
- agent/event
- collector/security-tracker-debian
- agent/weakness
- agent/softwarecombine
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/arj software
- canonical/arj software arj archiver
- version/arj software arj archiver/3.10.22
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/20
- version/fedoraproject fedora/21
- version/fedoraproject fedora/22