Miggo Logo

CVE-2018-1263: spring-integration-zip Arbitrary File Write

4.7

CVSS Score
3.1

Basic Information

EPSS Score
0.80646%
Published
5/13/2022
Updated
4/12/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.springframework.integration:spring-integration-zipmaven< 1.0.21.0.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient path traversal checks when processing zip entries as byte arrays (ZipResultType.BYTE_ARRAY). The pre-patch code validated paths only for FILE output types, but omitted validation for BYTE_ARRAY processing. The commit d10f537 fixed this by adding a checkPath() call in both cases. The UnZipTransformer's process method is directly responsible for handling archive entries, making it the vulnerable function. The test case added in UnZip2FileTests.java confirms this scenario by verifying traversal attempts throw exceptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***r*ss*s p*rti*l *ix in *V*-****-****. Pivot*l sprin*-int**r*tion-zip, v*rsions prior to *.*.*, *xpos*s *n *r*itr*ry *il* writ* vuln*r**ility, t**t **n ** ***i*v** usin* * sp**i*lly *r**t** zip *r**iv* (*****ts ot**r *r**iv*s *s w*ll, *zip*, t*r, xz

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt p*t* tr*v*rs*l ****ks w**n pro**ssin* zip *ntri*s *s *yt* *rr*ys (ZipR*sultTyp*.*YT*_*RR*Y). T** pr*-p*t** *o** v*li**t** p*t*s only *or *IL* output typ*s, *ut omitt** v*li**tion *or *YT*_*RR*Y pro**ssin*. T*