{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2018/cve-2018-17828-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2018-17828", "tracking": { "current_release_date": "2026-01-19T22:19:10Z", "generator": { "date": "2026-01-19T22:19:10Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2018-17828-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2018-10-01T08:29:00Z", "revision_history": [ { "date": "2018-10-01T08:29:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T10:36:50Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T19:08:30Z", "number": "3", "summary": "Update document" }, { "date": "2026-01-19T22:19:10Z", "number": "4", "summary": "Update document" } ], "status": "final", "version": "4" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" }, { "branches": [ { "category": "product_version", "name": "zziplib-0:0.13.71-9.el9.i686", "product": { "name": "zziplib-0:0.13.71-9.el9.i686", "product_id": "zziplib-0:0.13.71-9.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/zziplib@0.13.71-9.el9?arch=i686" } } }, { "category": "product_version", "name": "zziplib-devel-0:0.13.71-9.el9.i686", "product": { "name": "zziplib-devel-0:0.13.71-9.el9.i686", "product_id": "zziplib-devel-0:0.13.71-9.el9.i686", "product_identification_helper": { "purl": "pkg:rpm/almalinux/zziplib-devel@0.13.71-9.el9?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "zziplib-0:0.13.71-9.el9.x86_64", "product": { "name": "zziplib-0:0.13.71-9.el9.x86_64", "product_id": "zziplib-0:0.13.71-9.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/zziplib@0.13.71-9.el9?arch=x86_64" } } }, { "category": "product_version", "name": "zziplib-devel-0:0.13.71-9.el9.x86_64", "product": { "name": "zziplib-devel-0:0.13.71-9.el9.x86_64", "product_id": "zziplib-devel-0:0.13.71-9.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/zziplib-devel@0.13.71-9.el9?arch=x86_64" } } }, { "category": "product_version", "name": "zziplib-utils-0:0.13.71-9.el9.x86_64", "product": { "name": "zziplib-utils-0:0.13.71-9.el9.x86_64", "product_id": "zziplib-utils-0:0.13.71-9.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/zziplib-utils@0.13.71-9.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "product": { "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "product_id": "zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/zziplib@0.13.71-9.el9.tuxcare.els1?arch=i686" } } }, { "category": "product_version", "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "product": { "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "product_id": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/zziplib-devel@0.13.71-9.el9.tuxcare.els1?arch=i686" } } } ], "category": "architecture", "name": "i686" }, { "branches": [ { "category": "product_version", "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product": { "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_id": "zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/zziplib@0.13.71-9.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product": { "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_id": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/zziplib-devel@0.13.71-9.el9.tuxcare.els1?arch=x86_64" } } }, { "category": "product_version", "name": "zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product": { "name": "zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_id": "zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/zziplib-utils@0.13.71-9.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.i686" }, "product_reference": "zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-0:0.13.71-9.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.i686" }, "product_reference": "zziplib-0:0.13.71-9.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64" }, "product_reference": "zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-0:0.13.71-9.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.x86_64" }, "product_reference": "zziplib-0:0.13.71-9.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686" }, "product_reference": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-devel-0:0.13.71-9.el9.i686 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.i686" }, "product_reference": "zziplib-devel-0:0.13.71-9.el9.i686", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64" }, "product_reference": "zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-devel-0:0.13.71-9.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.x86_64" }, "product_reference": "zziplib-devel-0:0.13.71-9.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64" }, "product_reference": "zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "zziplib-utils-0:0.13.71-9.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.x86_64" }, "product_reference": "zziplib-utils-0:0.13.71-9.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2018-17828", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" }, "notes": [ { "category": "description", "text": "Directory traversal vulnerability in ZZIPlib 0.13.69 allows attackers to overwrite arbitrary files via a .. (dot dot) in a zip file, because of the function unzzip_cat in the bins/unzzipcat-mem.c file.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2018-17828" }, { "category": "external", "summary": "https://github.com/gdraheim/zziplib/issues/62", "url": "https://github.com/gdraheim/zziplib/issues/62" } ], "release_date": "2018-10-01T08:29:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This flaw is limited to ZZIPlib’s bundled unzip utilities (unzip-mem and unzzipcat variants) and only triggers when a user explicitly processes a crafted ZIP locally, so it requires user interaction and has no network exposure. Although it enables path traversal, the process can only overwrite locations it already has write permission to; standard Unix permissions prevent modification of system files without elevated rights, constraining impact to the caller’s writable areas. With no confidentiality or availability impact and the issue confined to auxiliary tools rather than typical server operation, it is reasonable to deprioritize in managed VM/server environments.", "product_ids": [ "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.0" }, "products": [ "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.i686", "AlmaLinux-9.2:zziplib-devel-0:0.13.71-9.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.x86_64", "AlmaLinux-9.2:zziplib-utils-0:0.13.71-9.el9.tuxcare.els1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }