SCA: security update for org.codehaus.plexus:plexus-archiver (GHSA-wh3p-fphp-9h2m)

critical Tenable Cloud Security Plugin ID 419931

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory
with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for
extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When
extracting an archive with an entry that already exists in the destination directory as a symbolic link
whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its
target, which will pass the verification that ensures the file will not be extracted outside of the
destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually
write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted
archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0
contains a patch for this issue. (CVE-2023-37460)

See Also

https://github.com/advisories/GHSA-wh3p-fphp-9h2m

Plugin Details

Severity: Critical

ID: 419931

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.86

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37460

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/25/2023

Vulnerability Publication Date: 7/25/2023

Reference Information

CVE: CVE-2023-37460

cwe: CWE-22