-
Sub-task
-
Resolution: Done
-
Medium
-
None
-
None
-
None
-
None
Explanation
Plexus Utils is vulnerable to Directory Traversal. The extractFile() function in the Expand class allows directory traversal characters such as ../ via the entryName parameter. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure.
Detection
The application is vulnerable by using this component.
Recommendation
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
update for appc-client/code-generator/pom.xml to exclude plexus-util then update to 3.0.24
dependency tree:
[INFO] +- org.apache.maven:maven-core:jar:3.3.9:compile
[INFO] | +- org.apache.maven:maven-settings:jar:3.3.9:compile
[INFO] | +- org.apache.maven:maven-settings-builder:jar:3.3.9:compile
[INFO] | | - org.apache.maven:maven-builder-support:jar:3.3.9:compile
[INFO] | +- org.apache.maven:maven-repository-metadata:jar:3.3.9:compile
[INFO] | +- org.apache.maven:maven-model-builder:jar:3.3.9:compile
[INFO] | +- org.apache.maven:maven-aether-provider:jar:3.3.9:compile
[INFO] | | - org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:compile
[INFO] | +- org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:compile
[INFO] | +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:compile
[INFO] | +- org.eclipse.aether:aether-util:jar:1.0.2.v20150114:compile
[INFO] | +- com.google.inject:guice:jar:no_aop:4.0:compile
[INFO] | | +- javax.inject:javax.inject:jar:1:compile
[INFO] | | - aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
[INFO] | +- org.codehaus.plexus:plexus-utils:jar:3.0.22:compile
[INFO] | +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
[INFO] | +- org.codehaus.plexus:plexus-component-annotations:jar:1.6:compile
[INFO] | - org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
[INFO] | - org.sonatype.plexus:plexus-cipher:jar:1.4:compile