Описание
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified Archiver/UnArchiver API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
A flaw was found in the Plexus Archiver. While using AbstractUnArchiver for extracting, an archive might lead to arbitrary file creation and possible remote code execution (RCE). Extracting an archive with an entry in the destination directory as a symbolic link whose target does not exist will bypass the directory destination verification.
Отчет
There are factors beyond the attacker's control. For example, the victim's server must have an incomplete SSH server configuration by not having the "~/.ssh/authorized_keys" existent and also having an SSH Server Port externally accessible. So, an attacker would need, even in other scenarios, to gather configuration settings and previous knowledge about the environment in order to have a successful attack. The impact is Important as code execution might happen, but it is not guaranteed. Red Hat Fuse 7 contains plexus-archiver as a transitive dependency and does not make it vulnerable during runtime, hence the low impact.
Меры по смягчению последствий
No mitigations are available for this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | plexus-archiver | Not affected | ||
| Cryostat 2 | plexus-archiver | Not affected | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/elasticsearch6-rhel8 | Affected | ||
| Migration Toolkit for Applications 6 | plexus-archiver | Affected | ||
| OpenShift Serverless | plexus-archiver | Not affected | ||
| Red Hat AMQ Broker 7 | plexus-archiver | Not affected | ||
| Red Hat Ansible Automation Platform 2 | plexus-archiver | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | plexus-archiver | Not affected | ||
| Red Hat build of Apicurio Registry 2 | plexus-archiver | Not affected | ||
| Red Hat build of Debezium 2 | plexus-archiver | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
EPSS
8.1 High
CVSS3