org.codehaus.plexus:plexus-utils 1.4-alpha-1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.codehaus.plexus:plexus-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M XML External Entity (XXE) Injection org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. `org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment` fails to sanitize comments for a `-->` sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection. How to fix XML External Entity (XXE) Injection? Upgrade `org.codehaus.plexus:plexus-utils` to version 3.0.24 or higher.	[,3.0.24)
M Directory Traversal An attacker could access arbitrary files and directories stored on the file system by manipulating files with `dot-dot-slash (../)` sequences and their variations or by using absolute file paths. Note: There is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.	[,3.0.24)
C Shell Command Injection `Codehaus Plexus` is a collection of components used by Apache Maven. Affected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings. How to fix Shell Command Injection? Upgrade Codehaus Plexus to version `3.0.16` or higher.	[,3.0.16)

Vulnerability

Vulnerable Version

XML External Entity (XXE) Injection

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

How to fix XML External Entity (XXE) Injection?

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

[,3.0.24)

Directory Traversal

An attacker could access arbitrary files and directories stored on the file system by manipulating files with dot-dot-slash (../) sequences and their variations or by using absolute file paths.

Note:

There is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.

[,3.0.24)

Shell Command Injection

Codehaus Plexus is a collection of components used by Apache Maven.

Affected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.

How to fix Shell Command Injection?

Upgrade Codehaus Plexus to version 3.0.16 or higher.

[,3.0.16)

org.codehaus.plexus:plexus-utils@1.4-alpha-1 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically