[MAVEN:GHSA-HCXQ-X77Q-3469] Improper Limitation of a Pathname to a Restricted Directory in plexus-archiver

Severity Moderate

Affected Packages 1

Fixed Packages 1

CVEs 1

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Package	Affected Version
pkg:maven/org.codehaus.plexus/plexus-archiver	< 3.6.0

Package	Fixed Version
pkg:maven/org.codehaus.plexus/plexus-archiver	= 3.6.0

ID

MAVEN:GHSA-HCXQ-X77Q-3469

Severity

moderate

URL

https://github.com/advisories/GHSA-hcxq-x77q-3469

Published

2022-05-13T01:35:03
(2 years ago)

Modified

2023-01-27T05:02:16
(20 months ago)

Rights

Maven Security Team

Other Advisories

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1002200
			https://github.com/codehaus-plexus/plexus-archiver/pull/87
			https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
			https://access.redhat.com/errata/RHSA-2018:1836
			https://access.redhat.com/errata/RHSA-2018:1837
			https://github.com/snyk/zip-slip-vulnerability
			https://snyk.io/research/zip-slip-vulnerability
			https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680
			https://www.debian.org/security/2018/dsa-4227
			https://github.com/advisories/GHSA-hcxq-x77q-3469

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.codehaus.plexus/plexus-archiver	org.codehaus.plexus	plexus-archiver	< 3.6.0
Fixed	pkg:maven/org.codehaus.plexus/plexus-archiver	org.codehaus.plexus	plexus-archiver	= 3.6.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date