CVE-2023-37460 Overview
CVE-2023-37460 is a critical path traversal vulnerability in Plexus Archiver, a collection of Plexus components used to create and extract archives via a unified Archiver/UnArchiver API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive could lead to arbitrary file creation and potentially remote code execution through symbolic link manipulation.
The vulnerability occurs when extracting an archive containing an entry that already exists in the destination directory as a symbolic link whose target does not exist. In this scenario, the resolveFile() function returns the symlink's source instead of its target, bypassing verification that ensures files are not extracted outside the destination directory. Subsequently, Files.newOutputStream(), which follows symlinks by default, writes the entry's content to the symlink's target location, enabling arbitrary file writes outside the intended directory.
Critical Impact
This vulnerability enables attackers to achieve arbitrary file creation and potentially remote code execution by crafting malicious archives that exploit symbolic link handling during extraction.
Affected Products
- Codehaus-plexus Plexus-archiver versions prior to 4.8.0
- Applications and build tools utilizing Plexus Archiver for archive extraction
- Apache Maven and other build systems that depend on Plexus Archiver components
Discovery Timeline
- 2023-07-25 - CVE-2023-37460 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-37460
Vulnerability Analysis
This path traversal vulnerability (CWE-22) exploits a flaw in how AbstractUnArchiver handles symbolic links during archive extraction. The vulnerability stems from inconsistent path resolution when dealing with symlinks pointing to non-existent targets.
When an attacker crafts a malicious archive containing a symbolic link entry followed by a file entry with the same name, the extraction process fails to properly validate the final destination path. The resolveFile() function resolves the path to the symlink itself rather than following it to its intended target, which allows the path traversal check to pass. However, when the actual file content is written using Files.newOutputStream(), the Java NIO API follows the symbolic link by default, writing content to wherever the symlink points—potentially outside the extraction directory.
This creates a powerful attack primitive that can be leveraged for arbitrary file writes anywhere on the filesystem where the application has write permissions.
Root Cause
The root cause lies in the inconsistency between path validation and file writing operations in AbstractUnArchiver. The resolveFile() method performs security checks against the symlink path itself rather than the resolved target path. Since Files.newOutputStream() follows symlinks by default, there is a disconnect between what path is validated and where content is actually written.
The vulnerability represents a Time-of-Check Time-of-Use (TOCTOU) issue where the security validation occurs on a different effective path than the actual write operation.
Attack Vector
An attacker can exploit this vulnerability through the following attack flow:
- Create a malicious archive containing a symbolic link entry pointing to a target file outside the extraction directory (e.g., /etc/cron.d/malicious)
- Include a regular file entry in the archive with the same name as the symbolic link
- Trick a victim application into extracting the malicious archive
- The symlink is created first, then the file content is written through the symlink to the attacker-controlled target location
- Achieve arbitrary file creation, configuration overwrite, or remote code execution depending on the target file
The security patch modifies AbstractUnArchiver.java to properly handle symlink resolution:
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
-import java.io.OutputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.ArrayList;
Source: GitHub Commit Details
The patch removes the direct use of OutputStream and implements proper symlink target validation to prevent writing outside the intended directory.
Detection Methods for CVE-2023-37460
Indicators of Compromise
- Unexpected symbolic links created in extraction directories pointing to sensitive system paths
- File modifications in system directories like /etc/cron.d/, /etc/passwd, or application configuration directories following archive extraction operations
- Evidence of malicious archive processing in application logs with symlink-related entries
- Unauthorized file creations outside designated extraction directories
Detection Strategies
- Monitor for archive extraction operations that result in symlink creation, especially those pointing outside the extraction directory
- Implement file integrity monitoring (FIM) on critical system paths that could be targets for arbitrary file writes
- Audit dependency versions in Java applications to identify usage of vulnerable Plexus Archiver versions (prior to 4.8.0)
- Use software composition analysis (SCA) tools to detect vulnerable transitive dependencies
Monitoring Recommendations
- Enable detailed logging for archive extraction operations in applications using Plexus Archiver
- Monitor filesystem events for symlink creation followed by file content writes to the symlink targets
- Implement alerting for file creation or modification in sensitive system directories following Java application archive operations
- Track Maven and build system dependencies for vulnerable Plexus Archiver versions across the organization
How to Mitigate CVE-2023-37460
Immediate Actions Required
- Upgrade Plexus Archiver to version 4.8.0 or later immediately
- Audit all Java applications and build pipelines for usage of vulnerable Plexus Archiver versions
- Update Apache Maven and other build tools that include Plexus Archiver as a transitive dependency
- Implement input validation to reject archives from untrusted sources until patching is complete
Patch Information
The vulnerability is fixed in Plexus Archiver version 4.8.0. The patch modifies AbstractUnArchiver.java to properly resolve symlink targets before performing path validation, ensuring that file writes cannot escape the intended extraction directory.
For detailed information on the security fix, refer to the GitHub Security Advisory GHSA-wh3p-fphp-9h2m and the GitHub Release 4.8.0.
Workarounds
- Avoid extracting archives from untrusted or unknown sources until patching is complete
- Implement application-level validation to reject archives containing symbolic link entries
- Run archive extraction operations in sandboxed environments with restricted filesystem access
- Use container isolation to limit the impact of arbitrary file writes during archive processing
# Update Plexus Archiver dependency in Maven pom.xml
# Add or update the following dependency version
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-archiver</artifactId>
<version>4.8.0</version>
</dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
