CVE-2023-37460
published 2023-07-25CVE-2023-37460: Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.07%
79.1th percentile
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| codehaus-plexus | plexus-archiver | < 4.8.0 | 4.8.0 |
| msrc | azl3_javapackages-bootstrap_1.5.0-4_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_javapackages-bootstrap_1.5.0-4_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2↗
- →Detect archive extraction where a destination path resolves to a symlink whose target does not exist — the resolveFile() function returns the symlink source rather than its (non-existent) target, bypassing path-traversal checks and allowing writes outside the destination directory. ↗
- →Monitor for Files.newOutputStream() calls that follow symlinks during archive extraction, particularly where the resolved output path falls outside the intended destination directory — this is the write primitive exploited after the symlink bypass. ↗
- →In SSH-based RCE scenarios, watch for unexpected creation or modification of ~/.ssh/authorized_keys via archive extraction processes, which could indicate successful exploitation of this symlink-bypass vulnerability. ↗
- ·Exploitation requires pre-existing conditions on the target: the symlink must already exist in the destination directory with a non-existent target, and the attacker must have prior knowledge of the environment's configuration (e.g., missing ~/.ssh/authorized_keys and an exposed SSH port) to achieve RCE — arbitrary file write is not guaranteed to escalate to code execution. ↗
- ·Red Hat Fuse 7 includes plexus-archiver as a transitive dependency but is not vulnerable at runtime; several other Red Hat products are listed as Not Affected — scope assessment is required before treating all plexus-archiver deployments as exploitable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
plexus-archiver: Arbitrary File Creation in AbstractUnArchiver
vendor_redhat·2023-07-25·CVSS 8.1
CVE-2023-37460 [HIGH] CWE-22 plexus-archiver: Arbitrary File Creation in AbstractUnArchiver
plexus-archiver: Arbitrary File Creation in AbstractUnArchiver
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the ent
Microsoft
Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver
vendor_msrc·2023-07-11·CVSS 9.8
CVE-2023-37460 [HIGH] CWE-22 Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver
Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
GHSA
Arbitrary File Creation in AbstractUnArchiver
ghsa·2023-07-25
CVE-2023-37460 [HIGH] CWE-22 Arbitrary File Creation in AbstractUnArchiver
Arbitrary File Creation in AbstractUnArchiver
### Summary
Using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution.
### Description
When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target.
### Impact
Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibl
OSV
CVE-2023-37460: Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API
osv·2023-07-25·CVSS 9.8
CVE-2023-37460 [CRITICAL] CVE-2023-37460: Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiv
OSV
Arbitrary File Creation in AbstractUnArchiver
osv·2023-07-25
CVE-2023-37460 [HIGH] Arbitrary File Creation in AbstractUnArchiver
Arbitrary File Creation in AbstractUnArchiver
### Summary
Using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution.
### Description
When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target.
### Impact
Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibl
No detection rules found.
No public exploits indexed.
https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2mhttps://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m
2023-07-25
Published