Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.3
CVSSv2

CVE-2018-1002200

Published: 25/07/2018 Updated: 02/08/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.5 | Impact Score: 3.6 | Exploitability Score: 1.8
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Subscribe to Codehaus-plexus

Vulnerability Summary

plexus-archiver prior to 3.6.0 is vulnerable to directory traversal, allowing malicious users to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

codehaus-plexus plexus-archiver

redhat enterprise linux desktop 7.0

redhat enterprise linux workstation 7.0

debian debian linux 8.0

debian debian linux 9.0

redhat enterprise linux 7.5

Vendor Advisories

Red Hat: Important: plexus-archiver security update
Synopsis Important: plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for plexus-archiver is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
Red Hat: Important: rh-maven33-plexus-archiver and rh-maven35-plexus-archiver security update
Synopsis Important: rh-maven33-plexus-archiver and rh-maven35-plexus-archiver security update Type/Severity Security Advisory: Important Topic An update for rh-maven33-plexus-archiver and rh-maven35-plexus-archiver is now available for Red Hat Software CollectionsRed Hat Product Security has rated this upd ...
Debian CVElist Bug Report Logs: plexus-archiver: CVE-2018-1002200
Debian Bug report logs - #900953 plexus-archiver: CVE-2018-1002200 Package: src:plexus-archiver; Maintainer for src:plexus-archiver is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 7 Jun 2018 09:27:02 UTC Severity: grave Tags: ...
Debian Security Advisories: DSA-4227-1 plexus-archiver -- security update
Danny Grander discovered a directory traversal flaw in plexus-archiver, an Archiver plugin for the Plexus compiler system, allowing an attacker to overwrite any file writable by the extracting user via a specially crafted Zip archive For the oldstable distribution (jessie), this problem has been fixed in version 12-1+deb8u1 For the stable distri ...
Amazon Linux 2: ALAS2-2018-1043
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations(CVE-2018-1002200) ...
Red Hat: CVE-2018-1002200
A path traversal vulnerability has been discovered in plexus-archiver when extracting a carefully crafted zip file which holds path traversal file names A remote attacker could use this vulnerability to write files outside the target directory and overwrite existing files with malicious code or vulnerable configurations ...

Github Repositories

https://github.com/Nadahar/external-maven-plugin

This is a fork of "Maven External Dependency Plugin", http://code.google.com/p/maven-external-dependency-plugin/. This Maven plugin allows downloading, installing, and deploying dependency artifacts that are not stored in a Maven repository.

No longer maintained This plugin is no longer maintained, and is vulnerable to potential abuse as a result of not updating dependencies At the time of writing, CVE-2018-1002200 is one such example External Dependency Maven Plugin This Maven plugin can be used to manage external dependencies that are not available in public Maven repositories or not mavenized at all The plugi

References

CWE-22https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680https://snyk.io/research/zip-slip-vulnerabilityhttps://github.com/snyk/zip-slip-vulnerabilityhttps://github.com/codehaus-plexus/plexus-archiver/pull/87https://github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8https://www.debian.org/security/2018/dsa-4227https://access.redhat.com/errata/RHSA-2018:1837https://access.redhat.com/errata/RHSA-2018:1836https://access.redhat.com/errata/RHSA-2018:1836https://nvd.nist.govhttps://github.com/Nadahar/external-maven-pluginhttps://www.debian.org/security/./dsa-4227
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
injectionCVE-2024-30983CVE-2023-4235CVE-2024-21338privilegeencryptionCVE-2023-4232CVE-2024-31497CVE-2024-32341
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook