An update for plexus-archiver is now available for openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1862 Final 1.0 1.0 2025-07-18 Initial 2025-07-18 2025-07-18 openEuler SA Tool V1.0 2025-07-18 plexus-archiver security update An update for plexus-archiver is now available for openEuler-24.03-LTS-SP1 The Plexus project provides a full software stack for creating and executing software projects. It provides a number of pre-built components for common tasks and toolkits such as Jetty, Velocity, Hibernate, i18n, and many more. However, Plexus is also able to reuse your existing components written for other IoC frameworks such as Spring, Avalon and Pico Container unmodified, as well as allowing you to reuse your existing code inside the Plexus Container. Security Fix(es): Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.(CVE-2023-37460) An update for plexus-archiver is now available for openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of critical. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Critical plexus-archiver https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1862 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-37460 https://nvd.nist.gov/vuln/detail/CVE-2023-37460 openEuler-24.03-LTS-SP1 plexus-archiver-4.2.7-2.oe2403sp1.noarch.rpm plexus-archiver-4.2.7-2.oe2403sp1.src.rpm Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue. 2025-07-18 CVE-2023-37460 openEuler-24.03-LTS-SP1 Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H plexus-archiver security update 2025-07-18 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1862