You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Mark Symons (JIRA)" <ji...@apache.org> on 2018/07/27 12:43:00 UTC
[jira] [Commented] (MSHARED-726) Upgrade plexus-archiver to 3.6.0
[ https://issues.apache.org/jira/browse/MSHARED-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559696#comment-16559696 ]
Mark Symons commented on MSHARED-726:
-------------------------------------
h2. CVE-2018-1002200
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
> Upgrade plexus-archiver to 3.6.0
> --------------------------------
>
> Key: MSHARED-726
> URL: https://issues.apache.org/jira/browse/MSHARED-726
> Project: Maven Shared Components
> Issue Type: Dependency upgrade
> Components: maven-archiver
> Affects Versions: maven-archiver-3.2.1
> Reporter: Karl Heinz Marbaise
> Assignee: Karl Heinz Marbaise
> Priority: Critical
> Fix For: maven-archiver-3.2.1
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)