CVE-2018-10862 — Improper Limitation of a Pathname to a Restricted Directory in WildFly

Description

WildFly Core before version 6.0.0.Alpha3 does not properly validate file paths in .war archives, allowing for the extraction of crafted .war archives to overwrite arbitrary files. This is an instance of the 'Zip Slip' vulnerability.

How to fix CVE-2018-10862

To remediate CVE-2018-10862, upgrade the affected package to a fixed version below.

—upgrade to 6.0.0.Alpha3 or later

Is CVE-2018-10862 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.0.0.Alpha3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-10862
WEBaccess.redhat.com/errata/RHSA-2018:2276
WEBaccess.redhat.com/errata/RHSA-2018:2277
WEBaccess.redhat.com/errata/RHSA-2018:2279
WEBaccess.redhat.com