Skip to content

[GHSA-6fmv-xxpf-w3cw] Plexus-Utils has a Directory Traversal vulnerability in its extractFile method #7333

Merged
advisory-database[bot] merged 1 commit intotimtebeek/advisory-improvement-7333from
timtebeek-GHSA-6fmv-xxpf-w3cw
Apr 8, 2026
Merged

[GHSA-6fmv-xxpf-w3cw] Plexus-Utils has a Directory Traversal vulnerability in its extractFile method #7333
advisory-database[bot] merged 1 commit intotimtebeek/advisory-improvement-7333from
timtebeek-GHSA-6fmv-xxpf-w3cw

Conversation

@timtebeek
Copy link
Copy Markdown

@timtebeek timtebeek commented Apr 8, 2026

Updates

  • Affected products

Comments
3.6.1 was released with this fix: https://github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-3.6.1

Copilot AI review requested due to automatic review settings April 8, 2026 16:59
@timtebeek timtebeek mentioned this pull request Apr 8, 2026
Merged
2 tasks
@github-actions github-actions bot changed the base branch from main to timtebeek/advisory-improvement-7333 April 8, 2026 17:00
@timtebeek
Copy link
Copy Markdown
Author

timtebeek commented Apr 8, 2026

Wasn't sure about the format when there's two maintained version ranges; figured copy the affected versions block.

Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub-reviewed advisory for GHSA-6fmv-xxpf-w3cw (Plexus-Utils directory traversal in extractFile) to reflect additional affected product/version information, including the fix release noted in the PR description.

Changes:

  • Updated the advisory modified timestamp.
  • Added an additional affected range intended to capture the fix in 3.6.1 (alongside the existing 4.0.3 fix range).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

advisories/github-reviewed/2026/03/GHSA-6fmv-xxpf-w3cw/GHSA-6fmv-xxpf-w3cw.json
Comment on lines +40 to +46
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.1"
}
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two affected entries for org.codehaus.plexus:plexus-utils both start with introduced: "0", which makes the ranges overlap; the combined meaning becomes “all versions < 4.0.3 are affected”, incorrectly marking 3.6.1+ as vulnerable. Model this like other advisories with multiple disjoint ranges (e.g. separate entries with different introduced values): one range should cover < 3.6.1, and the other should start at the first affected 4.x release (e.g. introduced: "4.0.0") and fix at 4.0.3, or represent both segments in a single range’s events.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Author

@timtebeek timtebeek Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair; please update the 4.x range accordingly to start from 4.0.0; or give me instructions without opening a new pull request.

@advisory-database advisory-database bot merged commit ecf01a6 into timtebeek/advisory-improvement-7333 Apr 8, 2026
7 of 8 checks passed
@advisory-database
Copy link
Copy Markdown
Contributor

advisory-database bot commented Apr 8, 2026

Hi @timtebeek! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the timtebeek-GHSA-6fmv-xxpf-w3cw branch April 8, 2026 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timtebeek