Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.

The version of javapackages-bootstrap installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-37460 advisory.

  - Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory     with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for     extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When     extracting an archive with an entry that already exists in the destination directory as a symbolic link     whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its     target, which will pass the verification that ensures the file will not be extracted outside of the     destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually     write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted     archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0     contains a patch for this issue. (CVE-2023-37460)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-608 advisory.

  - Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory     with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for     extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When     extracting an archive with an entry that already exists in the destination directory as a symbolic link     whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its     target, which will pass the verification that ensures the file will not be extracted outside of the     destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually     write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted     archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0     contains a patch for this issue. (CVE-2023-37460)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:6886 advisory.

  - Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory     with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for     extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When     extracting an archive with an entry that already exists in the destination directory as a symbolic link     whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its     target, which will pass the verification that ensures the file will not be extracted outside of the     destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually     write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted     archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0     contains a patch for this issue. (CVE-2023-37460)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-6886 advisory.

    [0:2.4.2-6]
    - Avoid override target symlink by standard file in AbstractUnArchiver
    - Fixes: CVE-2023-37460

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:6886 advisory.

    The Plexus project provides a full software stack for creating and executing software projects. Based on     the Plexus container, the applications can utilise component-oriented programming to build modular,     reusable components that can easily be assembled and reused. The plexus-archiver component provides     functions to create and extract archives.

    Security Fix(es):

    * plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-421 advisory.

  - Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory     with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for     extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When     extracting an archive with an entry that already exists in the destination directory as a symbolic link     whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its     target, which will pass the verification that ensures the file will not be extracted outside of the     destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually     write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted     archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0     contains a patch for this issue. (CVE-2023-37460)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
201689	CBL Mariner 2.0 Security Update: javapackages-bootstrap (CVE-2023-37460)	Nessus	MarinerOS Local Security Checks	critical
194483	Amazon Linux 2023 : javapackages-bootstrap (ALAS2023-2024-608)	Nessus	Amazon Linux Local Security Checks	critical
187765	CentOS 7 : plexus-archiver (RHSA-2023:6886)	Nessus	CentOS Local Security Checks	critical
185518	Oracle Linux 7 : plexus-archiver (ELSA-2023-6886)	Nessus	Oracle Linux Local Security Checks	critical
185498	RHEL 7 : plexus-archiver (RHSA-2023:6886)	Nessus	Red Hat Local Security Checks	critical
184415	Amazon Linux 2023 : plexus-archiver, plexus-archiver-javadoc (ALAS2023-2023-421)	Nessus	Amazon Linux Local Security Checks	critical

Detections

Analytics

CVE-2023-37460

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical