CVE-2023-37460

Summary

CVE-2023-37460 is a vulnerability affecting the Plexis Archiver, a collection of Plexus components used for archiving and unarchiving files. Before version 4.8.0, using the AbstractUnArchiver for extracting an archive might result in arbitrary file creation and potentially remote code execution. This occurs when a symbolic link with a nonexistent target is encountered during the extraction process. The `resolveFile()` function returns the symlink's source instead of its target, bypassing the verification intended to prevent file extraction outside the destination directory. The `Files.newOutputStream()` function, which follows symlinks by default, writes the entry's content to the symlink's target, leading to unintended file creation and potential code execution. Users of Plexis Archiver who extract untrusted archives are at risk. Version 4.8.0 includes a patch to address this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.