CVE-2008-5658

Advisory lineage Upstream: 0 Downstream: 3
Modified
Published: 17 Dec 2008, 20:00
Last modified:07 Aug 2024, 11:04

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v2.0 (nvd)
EPSS Score
2.36% LOW
2% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

17 Dec 2008, 20:00
Published
Vulnerability first disclosed
07 Aug 2024, 11:04
Last Modified
Vulnerability information updated

Description

Directory traversal vulnerability in the ZipArchive::extractTo function in PHP 5.2.6 and earlier allows context-dependent attackers to write arbitrary files via a ZIP file with a file whose name contains .. (dot dot) sequences.

CVSS Metrics

  • v2.0HIGHScore: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 2.36% Percentile: 85%

Techniques & Countermeasures

  • CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

    The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Affected Systems

  • UnknownPHP

    ≤ 5.2.6 | 5.0.0 | 5.0.0:beta1 | 5.0.0:beta2 | 5.0.0:beta3 | 5.0.0:beta4 | 5.0.0:rc1 | 5.0.0:rc2 | 5.0.0:rc3 | 5.0.1 | 5.0.2 | 5.0.3 | 5.0.4 | 5.0.5 | 5.1.0 | 5.1.1 | 5.1.2 | 5.1.3 | 5.1.4 | 5.1.5 | 5.1.6 | 5.2.0 | 5.2.1 | 5.2.2 | 5.2.3 | 5.2.4 | 5.2.5

References (21)