{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Critical" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"plexus-archiver security update", "category":"general", "title":"Synopsis" }, { "text":"An update for plexus-archiver is now available for openEuler-20.03-LTS-SP4", "category":"general", "title":"Summary" }, { "text":"The Plexus project provides a full software stack for creating and executing software projects. It provides a number of pre-built components for common tasks and toolkits such as Jetty, Velocity, Hibernate, i18n, and many more. However, Plexus is also able to reuse your existing components written for other IoC frameworks such as Spring, Avalon and Pico Container unmodified, as well as allowing you to reuse your existing code inside the Plexus Container.\n\nSecurity Fix(es):\n\nPlexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.(CVE-2023-37460)", "category":"general", "title":"Description" }, { "text":"An update for plexus-archiver is now available for openEuler-20.03-LTS-SP4.\n\nopenEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Critical", "category":"general", "title":"Severity" }, { "text":"plexus-archiver", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2025-1670", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1670" }, { "summary":"CVE-2023-37460", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-37460&packageName=plexus-archiver" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-37460" }, { "summary":"openEuler-SA-2025-1670 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2025/csaf-openeuler-sa-2025-1670.json" } ], "title":"An update for plexus-archiver is now available for openEuler-20.03-LTS-SP4", "tracking":{ "initial_release_date":"2025-06-27T21:42:51+08:00", "revision_history":[ { "date":"2025-06-27T21:42:51+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2025-06-27T21:42:51+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2025-06-27T21:42:51+08:00", "id":"openEuler-SA-2025-1670", "version":"1.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"openEuler-20.03-LTS-SP4", "name":"openEuler-20.03-LTS-SP4" }, "name":"openEuler-20.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"plexus-archiver-3.6.0-4.oe2003sp4.noarch.rpm", "name":"plexus-archiver-3.6.0-4.oe2003sp4.noarch.rpm" }, "name":"plexus-archiver-3.6.0-4.oe2003sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP4" }, "product_id":"plexus-archiver-3.6.0-4.oe2003sp4.src.rpm", "name":"plexus-archiver-3.6.0-4.oe2003sp4.src.rpm" }, "name":"plexus-archiver-3.6.0-4.oe2003sp4.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"plexus-archiver-3.6.0-4.oe2003sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.noarch", "name":"plexus-archiver-3.6.0-4.oe2003sp4.noarch as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP4", "product_reference":"plexus-archiver-3.6.0-4.oe2003sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.src", "name":"plexus-archiver-3.6.0-4.oe2003sp4.src as a component of openEuler-20.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2023-37460", "notes":[ { "text":"Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.src" ], "details":"plexus-archiver security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1670" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"CRITICAL", "baseScore":9.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.noarch", "openEuler-20.03-LTS-SP4:plexus-archiver-3.6.0-4.oe2003sp4.src" ] } ], "threats":[ { "details":"Critical", "category":"impact" } ], "title":"CVE-2023-37460" } ] }