cbcvebase.
CVE-2023-37460
published 2023-07-25

CVE-2023-37460: Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.07%
79.1th percentile
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
codehaus-plexusplexus-archiver< 4.8.04.8.0
msrcazl3_javapackages-bootstrap_1.5.0-4_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_javapackages-bootstrap_1.5.0-4_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2
  • Detect archive extraction where a destination path resolves to a symlink whose target does not exist — the resolveFile() function returns the symlink source rather than its (non-existent) target, bypassing path-traversal checks and allowing writes outside the destination directory.
  • Monitor for Files.newOutputStream() calls that follow symlinks during archive extraction, particularly where the resolved output path falls outside the intended destination directory — this is the write primitive exploited after the symlink bypass.
  • In SSH-based RCE scenarios, watch for unexpected creation or modification of ~/.ssh/authorized_keys via archive extraction processes, which could indicate successful exploitation of this symlink-bypass vulnerability.
  • ·Exploitation requires pre-existing conditions on the target: the symlink must already exist in the destination directory with a non-existent target, and the attacker must have prior knowledge of the environment's configuration (e.g., missing ~/.ssh/authorized_keys and an exposed SSH port) to achieve RCE — arbitrary file write is not guaranteed to escalate to code execution.
  • ·Red Hat Fuse 7 includes plexus-archiver as a transitive dependency but is not vulnerable at runtime; several other Red Hat products are listed as Not Affected — scope assessment is required before treating all plexus-archiver deployments as exploitable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.