You are viewing a plain text version of this content. The canonical link for it is here.

Posted to site-commits@maven.apache.org by sv...@apache.org on 2018/06/06 21:04:59 UTC

svn commit: r1833084 - in /maven/website/content: maven-site-1.0-site.jar security-plexus-archiver.html

Author: svn-site-role
Date: Wed Jun  6 21:04:58 2018
New Revision: 1833084

Log:
Site checkin for project Apache Maven Site

Modified:
    maven/website/content/maven-site-1.0-site.jar
    maven/website/content/security-plexus-archiver.html

Modified: maven/website/content/maven-site-1.0-site.jar
==============================================================================
Binary files - no diff available.

Modified: maven/website/content/security-plexus-archiver.html
==============================================================================
--- maven/website/content/security-plexus-archiver.html (original)
+++ maven/website/content/security-plexus-archiver.html Wed Jun  6 21:04:58 2018
@@ -119,7 +119,7 @@
         </div>
         <div id="bodyColumn"  class="span10" >
 <h1>Zip Slip Vulnerability</h1>
-<p>As part of a broader research, the Snyk Security Research Team discovered an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, if the extraction tool used does not make sufficient checks, the final path ends up outside of the target folder.</p>
+<p>As part of <a class="externalLink" href="https://snyk.io/research/zip-slip-vulnerability">a broader research</a>, the Snyk Security Research Team discovered an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, if the extraction tool used does not make sufficient checks, the final path ends up outside of the target folder.</p>
 <p>The Apache Maven team has been informed because the plexus-archiver library did not make sufficient checks and it is a library used by most of the packaging plugins. Affected versions of plexus-archiver are [,3.4]+[3.5], fixed versions are 3.4.1 &amp; 3.6.0, with issue tracking <a class="externalLink" href="https://github.com/codehaus-plexus/plexus-archiver/pull/87">plexus-archiver #87</a> and Snyk vulnerability report <a class="externalLink" href="https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31680">SNYK-JAVA-ORGCODEHAUSPLEXUS-31680</a></p>
 <div class="section">
 <h2><a name="What_parts_of_Maven_are_vulnerable.3F"></a>What parts of Maven are vulnerable?</h2>