Debian 10264 Published by

A plexus-utils2 security update has been released for Debian GNU/Linux 8 and 9 Extended LTS to address two security vulnerabilities.



ELA-963-1 plexus-utils2 security update

Package : plexus-utils2
Version : 3.0.15-1+deb8u2 (jessie), 3.0.22-1+deb9u1 (stretch)

Related CVEs :
CVE-2022-4244
CVE-2022-4245

Two security vulnerabilities have been found in plexus-utils2, a collection of
components used by Apache Maven.

CVE-2022-4244
A Directory Traversal issue was discovered in plexus-utils2. This is an
attack which aims to access files and directories that are stored outside
the intended folder. By manipulating files with "dot-dot-slash (../)"
sequences and its variations, or by using absolute file paths, it may be
possible to access arbitrary files and directories stored on the file system,
including application source code, configuration, and other critical system
files.

CVE-2022-4245
The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to
sanitize comments for a --> sequence. This issue means that text contained
in the command string could be interpreted as XML and allow for XML
injection.

ELA-963-1 plexus-utils2 security update