org.codehaus.plexus:plexus-utils@2.0.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.codehaus.plexus:plexus-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
XML External Entity (XXE) Injection

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to sanitize comments for a --> sequence. This means that text contained in the command string could be interpreted as XML and allow for XML injection.

How to fix XML External Entity (XXE) Injection?

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

[,3.0.24)
  • M
Directory Traversal

An attacker could access arbitrary files and directories stored on the file system by manipulating files with dot-dot-slash (../) sequences and their variations or by using absolute file paths.

Note:

There is no indication that access to the filesystem beyond that of the application user can be achieved. So typical deployments will have only limited confidentiality impact from this vulnerability.

[,3.0.24)
  • C
Shell Command Injection

Codehaus Plexus is a collection of components used by Apache Maven.

Affected versions of this package are vulnerable to Shell Command Injection. The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.

How to fix Shell Command Injection?

Upgrade Codehaus Plexus to version 3.0.16 or higher.

[,3.0.16)