Alerts This Week
Warning Icon 1 619
Alerts This Week
Warning Icon 1 619

Fedora 28 Advisory 2018-7a9a2f6ec0 Critical: Plexus-Archiver Zip Exploit

fedora
Calendar Grey June 14, 2018
Dist Fedora Esm H88
The Plexus-archiver security announcement addresses vulnerabilities linked to unintended file changes and potential remote code execution from crafted zip files in Fedora 28
Security fix: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file (CVE-2018-1002200) A path traversal vulnerability has been discovered...

Summary

The Plexus project seeks to create end-to-end developer tools for

writing applications. At the core is the container, which can be

embedded or for a full scale application server. There are many

reusable components for hibernate, form processing, jndi, i18n,

velocity, etc. Plexus also includes an application server which

is like a J2EE application server, without all the baggage.

Security fix: arbitrary file write vulnerability / arbitrary code execution

using a specially crafted zip file (CVE-2018-1002200) A path traversal

vulnerability has been discovered in plexus-archiver when extracting a carefully

crafted zip file which holds path traversal file names. A remote attacker could

use this vulnerability to write files outside the target directory and overwrite

existing files with malicious code or vulnerable configurations. Red Hat would

like to thank Danny Grander (Snyk) for reporting this issue. External

References: https://security.snyk.io/research/zip-slip-vulnerability

* Fri Jun 1 2018 Mikolaj Izdebski - 0:3.5-6

- Fix arbitrary file write vulnerability

- Resolves: CVE-2018-1002200

[ 1 ] Bug #1584392 - CVE-2018-1002200 plexus-archiver: arbitrary file write vulnerability / arbitrary code execution using a specially crafted zip file

https://bugzilla.redhat.com/show_bug.cgi?id=1584392

su -c 'dnf upgrade --advisory FEDORA-2018-7a9a2f6ec0' at the command

line. For more information, refer to the dnf documentation available at

https://dnf.readthedocs.io/en/latest/command_ref.html

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GZQQJQ2AQA6TR7BYV4DBSHZ3DE7ADWM3/

Topics%20covered

Topics Covered

security advisory Fedora arbitrary code execution path traversal Plexus Archiver file write exploit

Change Log

References

Update Instructions

Severity
critical
Lowest
Low
Medium
High
Critical

Product: Fedora 28
Version: 3.5
Release: 6.fc28
URL: http://codehaus-plexus.github.io/plexus-archiver/
Summary: Plexus Archiver Component

Topics%20covered

Topics Covered

security advisory Fedora arbitrary code execution path traversal Plexus Archiver file write exploit

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here