CVE-2022-25842

Name of the Vulnerable Software and Affected Versions one-java-agent-plugin versions all

Description The issue allows for Arbitrary File Write via Archive Extraction (Zip Slip) using a specially crafted archive that holds directory traversal filenames (e.g. ../../evil.exe). The attacker can overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine.

Recommendations For all versions, consider restricting the use of archive extraction functionality until a patch is available. As a temporary workaround, avoid using the one-java-agent-plugin package with untrusted archives to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.