Uploaded image for project: 'Application Controller'
  1. Application Controller
  2. APPC-656 Review Security issues reported by Nexus IQ
  3. APPC-709

Nexus IQ Issue: plexus-utils : 3.0.22

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Medium Medium
    • None
    • None
    • None
    • None

      Explanation
      Plexus Utils is vulnerable to Directory Traversal. The extractFile() function in the Expand class allows directory traversal characters such as ../ via the entryName parameter. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure.
       
      Detection
      The application is vulnerable by using this component.
       
      Recommendation
      We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

       

      update for appc-client/code-generator/pom.xml to exclude plexus-util then update to 3.0.24

       dependency tree:

      [INFO] +- org.apache.maven:maven-core:jar:3.3.9:compile
      [INFO] |  +- org.apache.maven:maven-settings:jar:3.3.9:compile
      [INFO] |  +- org.apache.maven:maven-settings-builder:jar:3.3.9:compile
      [INFO] |  |  - org.apache.maven:maven-builder-support:jar:3.3.9:compile
      [INFO] |  +- org.apache.maven:maven-repository-metadata:jar:3.3.9:compile
      [INFO] |  +- org.apache.maven:maven-model-builder:jar:3.3.9:compile
      [INFO] |  +- org.apache.maven:maven-aether-provider:jar:3.3.9:compile
      [INFO] |  |  - org.eclipse.aether:aether-spi:jar:1.0.2.v20150114:compile
      [INFO] |  +- org.eclipse.aether:aether-impl:jar:1.0.2.v20150114:compile
      [INFO] |  +- org.eclipse.aether:aether-api:jar:1.0.2.v20150114:compile
      [INFO] |  +- org.eclipse.aether:aether-util:jar:1.0.2.v20150114:compile
      [INFO] |  +- com.google.inject:guice:jar:no_aop:4.0:compile
      [INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
      [INFO] |  |  - aopalliance:aopalliance:jar:1.0:compile
      [INFO] |  +- org.codehaus.plexus:plexus-interpolation:jar:1.21:compile
      [INFO] |  +- org.codehaus.plexus:plexus-utils:jar:3.0.22:compile
      [INFO] |  +- org.codehaus.plexus:plexus-classworlds:jar:2.5.2:compile
      [INFO] |  +- org.codehaus.plexus:plexus-component-annotations:jar:1.6:compile
      [INFO] |  - org.sonatype.plexus:plexus-sec-dispatcher:jar:1.3:compile
      [INFO] |     - org.sonatype.plexus:plexus-cipher:jar:1.4:compile

       

            takamune_cho takamune_cho
            takamune_cho takamune_cho
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: