Homepage
About Snyk

org.codehaus.plexus:plexus-archiver@4.7.0 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.codehaus.plexus:plexus-archiver package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Directory Traversal

Affected versions of this package are vulnerable to Directory Traversal which might lead to an arbitrary file creation and possibly remote code execution.

When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target.

How to fix Directory Traversal?

Upgrade org.codehaus.plexus:plexus-archiver to version 4.8.0 or higher.

[,4.8.0)
Go back to all versions of this package