{"id":"CVE-2019-10743","details":"All versions of archiver allow attacker to perform a Zip Slip attack via the \"unarchive\" functions. It is exploited using a specially crafted zip archive, that holds path traversal filenames. When exploited, a filename in a malicious archive is concatenated to the target extraction directory, which results in the final path ending up outside of the target folder. For instance, a zip may hold a file with a \"../../file.exe\" location and thus break out of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.","aliases":["GHSA-h74j-692g-48mq"],"modified":"2026-04-02T01:29:14.876917Z","published":"2019-10-29T19:15:16.610Z","related":["SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728","SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728,"],"references":[{"type":"ADVISORY","url":"https://snyk.io/research/zip-slip-vulnerability"},{"type":"ADVISORY","url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728%2C"},{"type":"REPORT","url":"https://github.com/mholt/archiver/pull/169"},{"type":"EVIDENCE","url":"https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMHOLTARCHIVERCMDARC-174728"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mholt/archiver","events":[{"introduced":"edeadbb1a3884e1a487283bcb73e823333fd1a10"},{"fixed":"c7eae9dcbcb1f0a0ce965184868097babf73d415"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.3.2"}]}}],"versions":["v3.0.0","v3.0.1","v3.1.0","v3.1.1","v3.2.0","v3.3.0","v3.3.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-10743.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}