CVE-2022-25842: 
Java vulnerability analysis and mitigation

CVE-2022-25842 affects all versions of package com.alibaba.oneagent:one-java-agent-plugin. The vulnerability was discovered and disclosed on February 21, 2022, and published on April 21, 2022. This vulnerability allows attackers to perform Arbitrary File Write via Archive Extraction (Zip Slip) using specially crafted archives containing directory traversal filenames (SNYK, NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD and 6.9 (MEDIUM) from Snyk. The issue exists in the IOUtils.unzip function, which fails to properly validate filenames during archive extraction, allowing path traversal attacks. For example, an archive containing a file named '../../evil.exe' could write files outside the intended target directory (GITHUB_CODE).

The vulnerability allows attackers to overwrite executable files anywhere on the system through directory traversal. Once exploited, attackers can either invoke these files remotely or wait for the system or user to execute them, potentially leading to remote code execution on the victim's machine (SNYK).

The vulnerability was fixed by removing the unused IOUtils.unzip functionality in version 0.0.2 of the package. Users should upgrade to this version or later to address the vulnerability (GITHUB_PR).