The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of 7-Zip

computer vulnerability alert CVE-2018-10115

7-Zip: vulnerability via RAR

Synthesis of the vulnerability

A vulnerability via RAR of 7-Zip was announced.
Impacted products: 7-Zip, Solaris.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 02/05/2018.
Identifiers: bulletinjul2018, CERTFR-2018-AVI-214, CVE-2018-10115, VIGILANCE-VUL-26026.

Description of the vulnerability

A vulnerability via RAR of 7-Zip was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-17969 CVE-2018-5996

7-Zip: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of 7-Zip.
Impacted products: 7-Zip, Debian, Fedora, openSUSE Leap, Solaris, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 30/01/2018.
Identifiers: bulletinjul2018, CVE-2017-17969, CVE-2018-5996, DLA-1268-1, DSA-4104-1, FEDORA-2018-29232aa760, FEDORA-2018-7edc48be11, FEDORA-2018-cd4311d4d6, FEDORA-2018-f8ad787538, openSUSE-SU-2018:0497-1, SUSE-SU-2018:0464-1, Synology-SA-18:14, USN-3913-1, VIGILANCE-VUL-25181.

Description of the vulnerability

An attacker can use several vulnerabilities of 7-Zip.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-2107

7-Zip: code execution via 7-ZIP32.DLL

Synthesis of the vulnerability

An attacker can use a self-extracting archive created by 7-ZIP32.DLL of 7-Zip, in order to run code.
Impacted products: 7-Zip.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 02/05/2017.
Identifiers: CVE-2017-2107, JVN#86200862, VIGILANCE-VUL-22618.

Description of the vulnerability

An attacker can use a self-extracting archive created by 7-ZIP32.DLL of 7-Zip, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2334 CVE-2016-2335

7-Zip: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of 7-Zip.
Impacted products: 7-Zip, Debian, Fedora, openSUSE, openSUSE Leap, Solaris, Synology DS***, Synology RS***, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/05/2016.
Identifiers: bulletinjan2018, bulletinoct2016, CERTFR-2016-AVI-168, CVE-2016-2334, CVE-2016-2335, DLA-510-1, DSA-3599-1, FEDORA-2016-430bc0f808, FEDORA-2016-bbcb0e4eb4, openSUSE-SU-2016:1464-1, openSUSE-SU-2016:1675-1, openSUSE-SU-2016:1850-1, TALOS-CAN-0093, TALOS-CAN-0094, USN-3913-1, VIGILANCE-VUL-19612.

Description of the vulnerability

Several vulnerabilities were announced in 7-Zip.

An attacker can force a read at an invalid address with an UDF file, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2335, TALOS-CAN-0094]

An attacker can generate a buffer overflow with an HFS file, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-2334, TALOS-CAN-0093]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 18671

Windows: code execution during application installation

Synthesis of the vulnerability

An attacker can invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Impacted products: 7-Zip, ZoneAlarm, FileZilla Server, GIMP, Chrome, Kaspersky AV, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, Opera, Panda AV, Panda Internet Security, PuTTY, OfficeScan, TrueCrypt, VLC.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights.
Provenance: document.
Creation date: 11/01/2016.
Identifiers: sk110055, VIGILANCE-VUL-18671.

Description of the vulnerability

When a user installs a new application on Windows, he downloads the installation program (install.exe for example), and then runs it.

However, several installation programs load DLL (for example graph.dll) from the current directory. So, if an attacker invited the victim to download a malicious graph.dll file, before he runs install.exe from the Download directory, the code located in the DLL is run.

See also the bulletin VIGILANCE-VUL-19558 for other impacted products.

An attacker can therefore invite the victim to download malicious libraries on Windows, in order to run code during the installation of an application requiring these DLL.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about 7-Zip: