GHSA-hcxq-x77q-3469

Source

https://github.com/advisories/GHSA-hcxq-x77q-3469

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hcxq-x77q-3469/GHSA-hcxq-x77q-3469.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hcxq-x77q-3469

Aliases

CVE-2018-1002200
SNYK-JAVA-ORGCODEHAUSPLEXUS-31680

Published

2022-05-13T01:35:03Z

Modified

2024-08-01T07:56:43.014949Z

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Improper Limitation of a Pathname to a Restricted Directory in plexus-archiver

Details

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Database specific

{
    "nvd_published_at": "2018-07-25T17:29:00Z",
    "github_reviewed_at": "2022-06-30T15:19:51Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Maven / org.codehaus.plexus:plexus-archiver

Package

Name: org.codehaus.plexus:plexus-archiver; View open source insights on deps.dev
Purl: pkg:maven/org.codehaus.plexus/plexus-archiver

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.0

Affected versions

1.*

1.0-alpha-3

1.0-alpha-4

1.0-alpha-5

1.0-alpha-6

1.0-alpha-7

1.0-alpha-8

1.0-alpha-9

1.0-alpha-10

1.0-alpha-11

1.0-alpha-12

1.0

1.1

1.2

2.*

2.0

2.0.1

2.0.2

2.1

2.1.1

2.1.2

2.2

2.3

2.4

2.4.1

2.4.3

2.4.4

2.5

2.6

2.6.1

2.6.2

2.6.3

2.6.4

2.7

2.7.1

2.8

2.8.1

2.8.2

2.8.3

2.8.4

2.9

2.9.1

2.10-beta-1

2.10

2.10.1

2.10.2

2.10.3

2.11

3.*

3.0

3.0.1

3.0.2

3.0.3

3.1

3.1.1

3.2

3.3

3.4

3.4.1

3.5