one-java-agent-plugin is vulnerable to arbitrary file write. An attacker can overwrite the executable files or invoke them remotely through the unzip
function of IOUtils.java
by providing a specially crafted archive.
github.com/advisories/GHSA-9hr3-j9mc-xmq2
github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629b8f1050/one-java-agent-plugin/src/main/java/com/alibaba/oneagent/utils/IOUtils.java
github.com/alibaba/one-java-agent/blob/1f399a2299a8a409d15ea6111a7098629b8f1050/one-java-agent-plugin/src/main/java/com/alibaba/oneagent/utils/IOUtils.java#L106
github.com/alibaba/one-java-agent/commit/a0ab2fa9f492b13667810b94b5feeb86268fde9e
github.com/alibaba/one-java-agent/pull/29
github.com/alibaba/one-java-agent/pull/29/commits/359603b63fc6c59d8b57e061c171954bab3433bf