[GHSA-6fmv-xxpf-w3cw] Plexus-Utils has a Directory Traversal vulnerability in its extractFile method #7333
Conversation
github-actions
bot
changed the base branch from
main
to
timtebeek/advisory-improvement-7333
|
Wasn't sure about the format when there's two maintained version ranges; figured copy the affected versions block. |
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-6fmv-xxpf-w3cw (Plexus-Utils directory traversal in extractFile) to reflect additional affected product/version information, including the fix release noted in the PR description.
Changes:
- Updated the advisory
modifiedtimestamp. - Added an additional
affectedrange intended to capture the fix in 3.6.1 (alongside the existing 4.0.3 fix range).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "3.6.1" | ||
| } |
There was a problem hiding this comment.
The two affected entries for org.codehaus.plexus:plexus-utils both start with introduced: "0", which makes the ranges overlap; the combined meaning becomes “all versions < 4.0.3 are affected”, incorrectly marking 3.6.1+ as vulnerable. Model this like other advisories with multiple disjoint ranges (e.g. separate entries with different introduced values): one range should cover < 3.6.1, and the other should start at the first affected 4.x release (e.g. introduced: "4.0.0") and fix at 4.0.3, or represent both segments in a single range’s events.
There was a problem hiding this comment.
Fair; please update the 4.x range accordingly to start from 4.0.0; or give me instructions without opening a new pull request.
Updates
Comments
3.6.1 was released with this fix: https://github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-3.6.1