{"id":"CVE-2019-14452","details":"Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.","modified":"2026-04-16T04:43:20.852298905Z","published":"2019-07-31T02:15:10.977Z","references":[{"type":"WEB","url":"https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"},{"type":"ADVISORY","url":"https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4085-1/"},{"type":"ADVISORY","url":"https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"},{"type":"ADVISORY","url":"https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"},{"type":"ADVISORY","url":"https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"},{"type":"FIX","url":"https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"},{"type":"FIX","url":"https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"},{"type":"FIX","url":"https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/sigil-ebook/sigil","events":[{"introduced":"0"},{"fixed":"5b867e569f5bd3f471ae71f2e301624069712896"},{"fixed":"04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"},{"fixed":"0979ba8d10c96ebca330715bfd4494ea0e019a8f"},{"fixed":"369eebe936e4a8c83cc54662a3412ce8bef189e4"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.16"}]}}],"versions":["0.4.2","0.5.0","0.5.1","0.5.2","0.5.3","0.6.0","0.6.1","0.6.2","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.900","0.8.901","0.9.0","0.9.1","0.9.10","0.9.11","0.9.12","0.9.13","0.9.15","0.9.2","0.9.3","0.9.4","0.9.5","0.9.6","0.9.7","0.9.8","0.9.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0.9.2"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"19.04"}]}],"vanir_signatures":[{"digest":{"length":1854,"function_hash":"182395217239051067566291634887819240475"},"signature_version":"v1","id":"CVE-2019-14452-187fcff0","target":{"function":"Utility::UnZip","file":"src/Misc/Utility.cpp"},"deprecated":false,"signature_type":"Function","source":"https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"},{"digest":{"threshold":0.9,"line_hashes":["31778958674837530317474274569413477196","293766748251520536127451115093031018929","186608153893597571221016396297903165953","51362202892592035626035691752460671402","16726271138158705511880064410444150119"]},"signature_version":"v1","id":"CVE-2019-14452-2f067d2f","target":{"file":"src/Importers/ImportEPUB.cpp"},"deprecated":false,"signature_type":"Line","source":"https://github.com/sigil-ebook/sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"},{"digest":{"threshold":0.9,"line_hashes":["208043562837169991166544622942838125766","326803285296918462666518107266371185255"]},"signature_version":"v1","signature_type":"Line","target":{"file":"src/sigil_exception.h"},"deprecated":false,"id":"CVE-2019-14452-36998d3d","source":"https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"},{"digest":{"threshold":0.9,"line_hashes":["130891689586634692963401675223951984388","102425373348876556544986942506246403476","246863910420444580698523536143003827497","122839018934126442639130559388211875848","220896107346917495667970250931919460495"]},"signature_version":"v1","id":"CVE-2019-14452-74de99f5","target":{"file":"src/Misc/Utility.cpp"},"deprecated":false,"signature_type":"Line","source":"https://github.com/sigil-ebook/sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"},{"digest":{"length":2637,"function_hash":"159969796228099430892405562394044581018"},"signature_version":"v1","signature_type":"Function","target":{"function":"ImportEPUB::ExtractContainer","file":"src/Importers/ImportEPUB.cpp"},"deprecated":false,"id":"CVE-2019-14452-8b14dd4a","source":"https://github.com/sigil-ebook/sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"},{"digest":{"threshold":0.9,"line_hashes":["91926295081885281339467081712180333814","185102269791397197616450499299782208388","222228852761138575611763980038136668554","290716185337369713183669438939510716289"]},"signature_version":"v1","signature_type":"Line","target":{"file":"src/BookManipulation/Book.cpp"},"deprecated":false,"id":"CVE-2019-14452-94aa0873","source":"https://github.com/sigil-ebook/sigil/commit/5b867e569f5bd3f471ae71f2e301624069712896"},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["102425373348876556544986942506246403476","28814639375271858089318625073850188912","170048157033856145625459111568499724887","303191948746478850412054177509340011880"]},"signature_type":"Line","target":{"file":"src/Importers/ImportEPUB.cpp"},"deprecated":false,"id":"CVE-2019-14452-b9e751b0","source":"https://github.com/sigil-ebook/sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"},{"digest":{"length":2563,"function_hash":"82493519203815772685487879984072479769"},"signature_version":"v1","id":"CVE-2019-14452-f9f171b5","target":{"function":"ImportEPUB::ExtractContainer","file":"src/Importers/ImportEPUB.cpp"},"deprecated":false,"signature_type":"Function","source":"https://github.com/sigil-ebook/sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}],"vanir_signatures_modified":"2026-04-11T08:55:59Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-14452.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}