Cyber Resilience

CVE-2023-37460

HighPublic PoC

Published: 25 July 2023

Published
25 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3791 97.3th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-37460 is a high-severity Path Traversal (CWE-22) vulnerability in Codehaus-Plexus Plexus-Archiver. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Plexus Archiver, a library providing a unified API for creating and extracting archives, is affected by CVE-2023-37460 in all versions prior to 4.8.0. The flaw resides in AbstractUnArchiver's handling of archive entries that resolve to existing symbolic links whose targets are absent; resolveFile() returns the link source rather than its target, bypassing the destination-directory check, after which Files.newOutputStream() follows the symlink and writes attacker-controlled content to an arbitrary location on the filesystem. The issue is tracked under CWE-22 and CWE-61 and carries a CVSS 3.1 score of 8.1.

An attacker who can supply a malicious archive to any application that uses Plexus Archiver for extraction can trigger creation of files outside the intended destination directory. Because the written content is fully controlled by the archive entry, the attacker may place executables, configuration files, or scripts in locations that later lead to remote code execution when those files are processed by the victim application or system.

The project maintainers addressed the vulnerability in version 4.8.0; the corresponding patch and release are documented in the GitHub Security Advisory GHSA-wh3p-fphp-9h2m together with the commits that corrected symlink resolution. Users are advised to upgrade Plexus Archiver to 4.8.0 or later and to ensure any downstream components that embed the library are also updated.

EPSS for the CVE currently stands at 0.3791 with a recorded peak of 0.4068; no public evidence of in-the-wild exploitation has been reported.

EU & UK References

Vulnerability details

Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and…

more

possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

codehaus-plexus
plexus-archiver
≤ 4.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References