CVE-2015-0557: Path Traversal
First published: Fri Jan 02 2015(Updated: )
Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive.
Credit: security@debian.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/arj | <=3.10.22-9<=3.10.22-10<=3.10.22-12 | 3.10.22-13 3.10.22-10+deb7u1 3.10.22-9+deb6u1 |
| debian/arj | 3.10.22-24 3.10.22-26 3.10.22-27 | |
| ARJ Archiver | <=3.10.22 | |
| Fedora | =20 | |
| Fedora | =21 | |
| Fedora | =22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bitbucket.org/jwilk/path-traversal-samples
- https://security-tracker.debian.org/tracker/CVE-2015-0557
- https://security-tracker.debian.org/tracker/CVE-2015-0556
- https://security-tracker.debian.org/tracker/CVE-2015-2782
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774435
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154518.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/154605.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155011.html
- http://www.debian.org/security/2015/dsa-3213
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:201
- http://www.openwall.com/lists/oss-security/2015/01/03/5
- http://www.openwall.com/lists/oss-security/2015/01/05/9
- http://www.securityfocus.com/bid/71895
- https://security.gentoo.org/glsa/201612-15
Frequently Asked Questions
What is the severity of CVE-2015-0557?
CVE-2015-0557 is classified as a high-severity vulnerability due to its potential for absolute path traversal attacks.
How do I fix CVE-2015-0557?
To mitigate CVE-2015-0557, users should update their ARJ archiver to version 3.10.22-24 or later.
What software is affected by CVE-2015-0557?
CVE-2015-0557 affects the ARJ archiver versions up to and including 3.10.22 on various Debian and Fedora installations.
What kind of attack can CVE-2015-0557 allow?
CVE-2015-0557 allows remote attackers to conduct absolute path traversal attacks, giving them the ability to write to arbitrary files.
Is CVE-2015-0557 still a concern for users of ARJ archiver?
Yes, CVE-2015-0557 remains a concern for users who have not upgraded to the patched versions of the ARJ archiver.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/author
- agent/last-modified-date
- agent/description
- collector/debian-bugs
- source/Debian
- alias/CVE-2015-0557
- agent/software-canonical-lookup
- agent/event
- collector/security-tracker-debian
- agent/weakness
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/arj software
- canonical/arj archiver
- version/arj archiver/3.10.22
- vendor/fedoraproject
- canonical/fedora
- version/fedora/20
- version/fedora/21
- version/fedora/22