CVE-2023-37460

Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default,  will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Path Traversal
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
Affected Products (NVD)
VendorProductVersion
codehaus-plexusplexus-archiver
𝑥
< 4.8.0
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
codehaus-plexusplexus-archiver
𝑥
< 4.8.0
ADP
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
plexus-archiver
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
lunar
ignored
mantic
ignored
noble
needs-triage
oracular
needs-triage
trusty
ignored
xenial
needs-triage
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
maven-archiver
suse enterprise desktop 15 SP5
3.6.1-150200.3.7.3
fixed
suse enterprise desktop 15 SP6
3.6.1-150200.3.7.3
fixed
suse enterprise desktop 15 SP7
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP2
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP3
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP4
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP5
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP6
3.6.1-150200.3.7.3
fixed
suse enterprise sap 15 SP7
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP2
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP3
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP4
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP5
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP6
3.6.1-150200.3.7.3
fixed
suse enterprise server 15 SP7
3.6.1-150200.3.7.3
fixed
maven-common-artifact-filters
suse enterprise desktop 15 SP5
3.3.2-150200.3.7.3
fixed
suse enterprise desktop 15 SP6
3.3.2-150200.3.7.3
fixed
suse enterprise desktop 15 SP7
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP2
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP3
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP4
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP5
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP6
3.3.2-150200.3.7.3
fixed
suse enterprise sap 15 SP7
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP2
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP3
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP4
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP5
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP6
3.3.2-150200.3.7.3
fixed
suse enterprise server 15 SP7
3.3.2-150200.3.7.3
fixed
maven-compiler-plugin
suse enterprise desktop 15 SP5
3.11.0-150200.3.7.1
fixed
suse enterprise desktop 15 SP6
3.11.0-150200.3.7.1
fixed
suse enterprise desktop 15 SP7
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP2
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP3
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP4
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP5
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP6
3.11.0-150200.3.7.1
fixed
suse enterprise sap 15 SP7
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP2
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP3
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP4
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP5
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP6
3.11.0-150200.3.7.1
fixed
suse enterprise server 15 SP7
3.11.0-150200.3.7.1
fixed
maven-plugin-annotations
suse enterprise desktop 15 SP5
3.9.0-150200.3.7.3
fixed
suse enterprise desktop 15 SP6
3.9.0-150200.3.7.3
fixed
suse enterprise sap 15 SP2
3.9.0-150200.3.7.3
fixed
suse enterprise sap 15 SP3
3.9.0-150200.3.7.3
fixed
suse enterprise sap 15 SP4
3.9.0-150200.3.7.3
fixed
suse enterprise sap 15 SP5
3.9.0-150200.3.7.3
fixed
suse enterprise sap 15 SP6
3.9.0-150200.3.7.3
fixed
suse enterprise server 15 SP2
3.9.0-150200.3.7.3
fixed
suse enterprise server 15 SP3
3.9.0-150200.3.7.3
fixed
suse enterprise server 15 SP4
3.9.0-150200.3.7.3
fixed
suse enterprise server 15 SP5
3.9.0-150200.3.7.3
fixed
suse enterprise server 15 SP6
3.9.0-150200.3.7.3
fixed
objectweb-asm
suse enterprise sap 15 SP2
9.6-150200.3.11.3
fixed
suse enterprise sap 15 SP3
9.6-150200.3.11.3
fixed
suse enterprise sap 15 SP4
9.6-150200.3.11.3
fixed
suse enterprise server 15 SP2
9.6-150200.3.11.3
fixed
suse enterprise server 15 SP3
9.6-150200.3.11.3
fixed
suse enterprise server 15 SP4
9.6-150200.3.11.3
fixed
plexus-archiver
suse enterprise desktop 15 SP5
4.8.0-150200.3.7.2
fixed
suse enterprise desktop 15 SP6
4.8.0-150200.3.7.2
fixed
suse enterprise desktop 15 SP7
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP2
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP3
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP4
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP5
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP6
4.8.0-150200.3.7.2
fixed
suse enterprise sap 15 SP7
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP2
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP3
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP4
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP5
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP6
4.8.0-150200.3.7.2
fixed
suse enterprise server 15 SP7
4.8.0-150200.3.7.2
fixed
plexus-compiler
suse enterprise desktop 15 SP5
2.14.2-150200.3.9.2
fixed
suse enterprise desktop 15 SP6
2.14.2-150200.3.9.2
fixed
suse enterprise desktop 15 SP7
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP2
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP3
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP4
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP5
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP6
2.14.2-150200.3.9.2
fixed
suse enterprise sap 15 SP7
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP2
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP3
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP4
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP5
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP6
2.14.2-150200.3.9.2
fixed
suse enterprise server 15 SP7
2.14.2-150200.3.9.2
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
plexus-archiver
RHEL 7
0:2.4.2-6.el7_9
fixed
plexus-archiver-javadoc
RHEL 7
0:2.4.2-6.el7_9
fixed
Common Weakness Enumeration
References
https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2
https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0
https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m
https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2
https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0
https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m