摘要:
plexus-archiver security update
安全等级: Critical
公告ID: KylinSec-SA-2025-2659
发布日期: 2025年7月4日
关联CVE: CVE-2023-37460
The Plexus project provides a full software stack for creating and executing software projects. It provides a number of pre-built components for common tasks and toolkits such as Jetty, Velocity, Hibernate, i18n, and many more. However, Plexus is also able to reuse your existing components written for other IoC frameworks such as Spring, Avalon and Pico Container unmodified, as well as allowing you to reuse your existing code inside the Plexus Container.
Security Fix(es):
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.(CVE-2023-37460)
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-37460 | KY3.4-5A | plexus-archiver | Fixed |
| 软件名称 | 架构 | 版本号 |
|---|---|---|
| plexus-archiver | noarch | 3.6.0-4.kb1.ky3_4 |
方法一:下载安装包进行升级安装
1、通过下载链接下载需要升级的升级包保存,如 xxx.rpm
2、通过rpm命令升级,如 rpm -Uvh xxx.rpm
方法二:通过软件源进行升级安装
1、保持能够连接上互联网
2、通过yum命令升级指定的包,如 yum install 包名
