CVE-2019-14452 - Vulnerability Details - OpenCVE

Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Flightcrew Project	Flightcrew
Sigil-ebook	Sigil

Configuration 1 [-]

cpe:2.3:a:sigil-ebook:sigil:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:flightcrew_project:flightcrew:*:*:*:*:*:sigil:*:*

Configuration 3 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:19.04:::::::*

No data.

References

Link	Providers
https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4
https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f
https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4
https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5
https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936
https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355
https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/
https://usn.ubuntu.com/4085-1/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-07-31T01:33:44

Updated: 2024-08-05T00:19:41.064Z

Reserved: 2019-07-30T00:00:00

Link: CVE-2019-14452

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-31T02:15:10.977

Modified: 2024-11-21T04:26:46.227

Link: CVE-2019-14452

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-05T21:23:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"}, {"name": "USN-4085-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4085-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14452", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"}, {"name": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"}, {"name": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}, {"name": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"}, {"name": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"}, {"name": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"}, {"name": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5", "refsource": "MISC", "url": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"}, {"name": "USN-4085-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4085-1/"}, {"name": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/", "refsource": "MISC", "url": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:19:41.064Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"}, {"name": "USN-4085-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4085-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14452", "datePublished": "2019-07-31T01:33:44", "dateReserved": "2019-07-30T00:00:00", "dateUpdated": "2024-08-05T00:19:41.064Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sigil-ebook:sigil:*:*:*:*:*:*:*:*", "matchCriteriaId": "32D6FADF-0530-42A9-81BA-E2A317470262", "versionEndExcluding": "0.9.16", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:flightcrew_project:flightcrew:*:*:*:*:*:sigil:*:*", "matchCriteriaId": "3AF7EB27-3012-465F-A35E-D7214E6548A0", "versionStartIncluding": "0.9.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sigil before 0.9.16 is vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction."}, {"lang": "es", "value": "Sigil anterior a versi\u00f3n 0.9.16, es vulnerable a un salto de directorio, permitiendo a los atacantes escribir archivos arbitrarios por medio de un ../ (punto punto barra) en una entrada de archivo ZIP que es manejada inapropiadamente durante la extracci\u00f3n."}], "id": "CVE-2019-14452", "lastModified": "2024-11-21T04:26:46.227", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-31T02:15:10.977", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"}, {"source": "cve@mitre.org", "url": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4085-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/04e2f280cc4a0766bedcc7b9eb56449ceecc2ad4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/0979ba8d10c96ebca330715bfd4494ea0e019a8f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/commit/369eebe936e4a8c83cc54662a3412ce8bef189e4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/compare/ea7f27d...5b867e5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/Sigil/releases/tag/0.9.16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505967936"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/Sigil-Ebook/flightcrew/issues/52#issuecomment-505997355"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://salvatoresecurity.com/zip-slip-in-sigil-cve-2019-14452/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4085-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}