You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Mark Symons (JIRA)" <ji...@apache.org> on 2018/07/27 12:43:00 UTC

[jira] [Commented] (MSHARED-726) Upgrade plexus-archiver to 3.6.0

    [ https://issues.apache.org/jira/browse/MSHARED-726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16559696#comment-16559696 ] 

Mark Symons commented on MSHARED-726:
-------------------------------------

h2. CVE-2018-1002200

plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.

> Upgrade plexus-archiver to 3.6.0
> --------------------------------
>
>                 Key: MSHARED-726
>                 URL: https://issues.apache.org/jira/browse/MSHARED-726
>             Project: Maven Shared Components
>          Issue Type: Dependency upgrade
>          Components: maven-archiver
>    Affects Versions: maven-archiver-3.2.1
>            Reporter: Karl Heinz Marbaise
>            Assignee: Karl Heinz Marbaise
>            Priority: Critical
>             Fix For: maven-archiver-3.2.1
>
>




--
This message was sent by Atlassian JIRA
(v7.6.3#76005)