Plexus Archiver Component is vulnerable to zip-slip vulnerability. The vulnerability exists when the attacker inputs a malicious zip archive with filenames including file traversal characters such as dot dot (..
), leading to concatenation of file path locating outside of the destination folder.
access.redhat.com/errata/RHSA-2018:1836
access.redhat.com/errata/RHSA-2018:1837
access.redhat.com/security/updates/classification/#important
github.com/codehaus-plexus/plexus-archiver/commit/f8f4233508193b70df33759ae9dc6154d69c2ea8
github.com/codehaus-plexus/plexus-archiver/pull/87
www.debian.org/security/2018/dsa-4227