[
https://issues.apache.org/jira/browse/MJAR-252?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678167#comment-16678167
]
Mark Symons edited comment on MJAR-252 at 11/7/18 12:47 PM:
------------------------------------------------------------
I think that this issue should be reclassified as major/critical, as the update
to {{plexus-archiver 3.6.0}} addresses
[CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200]
{panel}
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing
attackers to write to arbitrary files via a ../ (dot dot slash) in an archive
entry that is mishandled during extraction. This vulnerability is also known as
'Zip-Slip'.
{panel}
Will maven-jar-plugin v3.1.1 be released soon?
was (Author: marks):
I think that this issue should be reclassified as major/critical. as the update
to {{plexus-archiver 3.6.0}} addresses
[CVE-2018-1002200|https://nvd.nist.gov/vuln/detail/CVE-2018-1002200]
{panel}
plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing
attackers to write to arbitrary files via a ../ (dot dot slash) in an archive
entry that is mishandled during extraction. This vulnerability is also known as
'Zip-Slip'.
{panel}
Will v3.1.1 be released soon?
> Upgrade plexus-archiver to 3.6.0
> --------------------------------
>
> Key: MJAR-252
> URL: https://issues.apache.org/jira/browse/MJAR-252
> Project: Maven JAR Plugin
> Issue Type: Dependency upgrade
> Affects Versions: 3.1.1
> Reporter: Karl Heinz Marbaise
> Assignee: Karl Heinz Marbaise
> Priority: Minor
> Fix For: 3.1.1
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
