CVE-2023-37460

Name of the Vulnerable Software and Affected Versions Plexis Archiver versions prior to 4.8.0

Description The issue arises when using AbstractUnArchiver for extracting an archive, potentially leading to arbitrary file creation and possibly remote code execution. This occurs when an archive entry already exists in the destination directory as a symbolic link whose target does not exist. The resolveFile() function returns the symlink's source instead of its target, passing the verification that ensures the file will not be extracted outside of the destination directory. Later, Files.newOutputStream(), which follows symlinks by default, writes the entry's content to the symlink's target. This vulnerability affects users who extract untrusted archives using Plexis Archiver.

Technical details include the use of Files.newOutputStream() which follows symlinks by default, and the resolveFile() function which may return the symlink's source instead of its target. The checkCanonicalFile() method is also relevant, as it checks if the resolved path of the extracted file doesn't escape the destination directory.

Recommendations To resolve the issue, update to version 4.8.0 or later, as it contains a patch for this issue. For versions prior to 4.8.0, as a temporary workaround, consider disabling the use of AbstractUnArchiver for extracting untrusted archives until a patch is available. Restrict access to the vulnerable resolveFile() function to minimize the risk of exploitation. Avoid using Files.newOutputStream() on untrusted archives until the issue is resolved.