CVE: 2018-1002200 found in Plexus Archiver Component - Version: 1.0-alpha-3 [JAVA]

[github-actions[bot]]

Veracode Software Composition Analysis

Attribute	Details
Library	Plexus Archiver Component
Description	The Plexus project provides a full software stack for creating and executing software projects.
Language	JAVA
Vulnerability	Arbitrary File Write
Vulnerability description	Plexus Archiver Component is vulnerable to zip-slip vulnerability. The vulnerability exists when the attacker inputs a malicious zip archive with filenames including file traversal characters such as dot dot (..), leading to concatenation of file path locating outside of the destination folder.
CVE	2018-1002200
CVSS score	4.3
Vulnerability present in version/s	1.0-alpha-3-2.4.4
Found library version/s	1.0-alpha-3
Vulnerability fixed in version	3.6
Library latest version	4.9.0
Fix	null

Links:

• https://sca.analysiscenter.veracode.com/vulnerability-database/libraries/5533?version=1.0-alpha-3
• https://sca.analysiscenter.veracode.com/vulnerability-database/vulnerabilities/6574
• Patch: null

[github-actions[bot]]

Veracode issue link to PR: https://github.com/veracode-repository-ruleset/verademo-java-maven/pull/54