CVE-2023-37460
Published: 25 July 2023
Summary
CVE-2023-37460 is a high-severity Path Traversal (CWE-22) vulnerability in Codehaus-Plexus Plexus-Archiver. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Plexus Archiver, a library providing a unified API for creating and extracting archives, is affected by CVE-2023-37460 in all versions prior to 4.8.0. The flaw resides in AbstractUnArchiver's handling of archive entries that resolve to existing symbolic links whose targets are absent; resolveFile() returns the link source rather than its target, bypassing the destination-directory check, after which Files.newOutputStream() follows the symlink and writes attacker-controlled content to an arbitrary location on the filesystem. The issue is tracked under CWE-22 and CWE-61 and carries a CVSS 3.1 score of 8.1.
An attacker who can supply a malicious archive to any application that uses Plexus Archiver for extraction can trigger creation of files outside the intended destination directory. Because the written content is fully controlled by the archive entry, the attacker may place executables, configuration files, or scripts in locations that later lead to remote code execution when those files are processed by the victim application or system.
The project maintainers addressed the vulnerability in version 4.8.0; the corresponding patch and release are documented in the GitHub Security Advisory GHSA-wh3p-fphp-9h2m together with the commits that corrected symlink resolution. Users are advised to upgrade Plexus Archiver to 4.8.0 or later and to ensure any downstream components that embed the library are also updated.
EPSS for the CVE currently stands at 0.3791 with a recorded peak of 0.4068; no public evidence of in-the-wild exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2164
Vulnerability details
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and…
more
possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.