| Package | plexus-utils2 |
|---|---|
| Version | 3.0.15-1+deb8u2 (jessie), 3.0.22-1+deb9u1 (stretch) |
| Related CVEs | CVE-2022-4244 CVE-2022-4245 |
Two security vulnerabilities have been found in plexus-utils2, a collection of components used by Apache Maven.
CVE-2022-4244
A Directory Traversal issue was discovered in plexus-utils2. This is an
attack which aims to access files and directories that are stored outside
the intended folder. By manipulating files with "dot-dot-slash (../)"
sequences and its variations, or by using absolute file paths, it may be
possible to access arbitrary files and directories stored on the file system,
including application source code, configuration, and other critical system
files.
CVE-2022-4245
The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment fails to
sanitize comments for a --> sequence. This issue means that text contained
in the command string could be interpreted as XML and allow for XML
injection.
For Debian 8 jessie, these problems have been fixed in version 3.0.15-1+deb8u2.
For Debian 9 stretch, these problems have been fixed in version 3.0.22-1+deb9u1.
We recommend that you upgrade your plexus-utils2 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.