Your submission was sent successfully! Close

CVE-2019-13241

Published: 04 July 2019

FlightCrew v0.9.2 and older are vulnerable to a directory traversal, allowing attackers to write arbitrary files via a ../ (dot dot slash) in a ZIP archive entry that is mishandled during extraction.

From the Ubuntu security team

Mike Salvatore discovered that FlightCrew mishandled certain malformed EPUB files. An attacker could use this vulnerability to write arbitrary files to the filesystem.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
flightcrew
Launchpad, Ubuntu, Debian
Upstream Needed

Ubuntu 18.04 LTS (Bionic Beaver)
Released (0.7.2+dfsg-10ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (0.7.2+dfsg-6ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist