CVE-2023-37460: 
Java vulnerability analysis and mitigation

CVE-2023-37460 affects Plexus Archiver, a collection of Plexus components used to create or extract archives with a unified Archiver/UnArchiver API. The vulnerability was discovered in July 2023 and affects versions prior to 4.8.0. The issue allows attackers to perform arbitrary file creation and potentially achieve remote code execution when extracting untrusted archives (GitHub Advisory, NVD).

The vulnerability exists in the AbstractUnArchiver component when extracting an archive containing an entry that already exists in the destination directory as a symbolic link whose target does not exist. The resolveFile() function returns the symlink's source instead of its target, bypassing the directory traversal verification. Subsequently, Files.newOutputStream() follows symlinks by default, writing the entry's content to the symlink's target. The vulnerability has received a CVSS v3.1 base score of 8.1 (High) from GitHub and 9.8 (Critical) from NVD (JFrog Blog, GitHub Advisory).

The vulnerability can lead to arbitrary file creation outside the intended directory structure and potentially result in remote code execution. For example, an attacker could create files like ~/.ssh/authorized_keys with malicious content, allowing unauthorized SSH access to the affected system (GitHub Advisory, JFrog Blog).

The vulnerability has been patched in Plexus Archiver version 4.8.0. Users are strongly advised to upgrade to this version or later to address the security issue (GitHub Release, GitHub Advisory).