You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by rf...@apache.org on 2018/06/04 22:05:23 UTC
[maven-site] branch master updated: Zip slip vulnerability Maven
plugins
This is an automated email from the ASF dual-hosted git repository.
rfscholte pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-site.git
The following commit(s) were added to refs/heads/master by this push:
new 69695c7 Zip slip vulnerability Maven plugins
69695c7 is described below
commit 69695c7530becede56924a66e49f06bb16e747ca
Author: Robert Scholte <rf...@apache.org>
AuthorDate: Tue Jun 5 00:05:22 2018 +0200
Zip slip vulnerability Maven plugins
---
content/markdown/security.md | 31 ++++++++++++++++++++++++++++++-
1 file changed, 30 insertions(+), 1 deletion(-)
diff --git a/content/markdown/security.md b/content/markdown/security.md
index 38bb05a..86fb001 100644
--- a/content/markdown/security.md
+++ b/content/markdown/security.md
@@ -8,6 +8,35 @@ has been fixed.
For more information about reporting vulnerabilities, see the [Apache
Security Team](https://www.apache.org/security/) page.
+
+### Maven Dependency, EAR, Javadoc, WAR and Plugin Plugins
+
+Severity: Low
+
+Vendor: The Apache Software Foundation
+
+Versions Affected:
+
+- Maven Dependency Plugin 3.1.0 and earlier
+- Maven EAR Plugin 3.0.0 and earlier
+- Maven Javadoc Plugin 2.5 to 3.0.0
+- Maven WAR Plugin 2.1-alpha-1 to 3.2.0
+- Maven Plugin Plugin 3.0 to 3.5.1
+
+Description: As part of a broader research, the Snyk Security Research Team discovered
+an arbitrary file write generic vulnerability, that can be achieved using a
+specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds
+path traversal filenames. So when the filename gets concatenated to the
+target extraction directory, if the extraction tool used does not make
+sufficient checks, the final path ends up outside of the target folder.
+The affected plugins use plexus-archiver to unpack dependencies to disk
+and have been identified as potential triggers for exposing the vulnerability
+if dependencies are compromised.
+
+See [full description](./security-plexus-archiver.html) for more details.
+
+Credit: This issue was identified by the Snyk Security Research Team
+
### CVE-2013-0253 Apache Maven 3.0.4
Severity: Medium
@@ -52,4 +81,4 @@ field that is not the CN field.
[CVE-2012-6153](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153)
Users of this provider are recommended to upgrade to [Apache Maven Wagon ::
-WebDAV Provider 3.0.0](./download.cgi)
\ No newline at end of file
+WebDAV Provider 3.0.0](./download.cgi)
--
To stop receiving notification emails like this one, please contact
rfscholte@apache.org.