{"id":"GHSA-7378-6268-4278","summary":"DotNetZip Zip-Slip Vulnerability","details":"DotNetZip.Semvered before 1.11.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.","aliases":["CVE-2018-1002205"],"modified":"2025-05-06T18:31:16.724917Z","published":"2018-10-16T17:16:40Z","database_specific":{"github_reviewed_at":"2020-06-16T21:21:07Z","severity":"MODERATE","nvd_published_at":"2018-07-25T17:29:01Z","cwe_ids":["CWE-22"],"github_reviewed":true},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1002205"},{"type":"WEB","url":"https://github.com/haf/DotNetZip.Semverd/pull/121"},{"type":"WEB","url":"https://github.com/haf/DotNetZip.Semverd/commit/55d2c13c0cc64654e18fcdd0038fdb3d7458e366"},{"type":"WEB","url":"https://github.com/snyk/zip-slip-vulnerability"},{"type":"WEB","url":"https://snyk.io/research/zip-slip-vulnerability"},{"type":"WEB","url":"https://snyk.io/vuln/SNYK-DOTNET-DOTNETZIP-60245"}],"affected":[{"package":{"name":"DotNetZip","ecosystem":"NuGet","purl":"pkg:nuget/DotNetZip"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.11.0"}]}],"versions":["1.0.0","1.10.0","1.10.1","1.9.0","1.9.0-rc1","1.9.1.8","1.9.2","1.9.2-rc1","1.9.3","1.9.5","1.9.6","1.9.7","1.9.8","1.9.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-7378-6268-4278/GHSA-7378-6268-4278.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"}]}