[GHSA-6fmv-xxpf-w3cw] Plexus-Utils has a Directory Traversal vulnerability in its extractFile method #7325
Conversation
github-actions
Bot
changed the base branch from
main
to
udengaardandersent-ELS/advisory-improvement-7325
There was a problem hiding this comment.
Pull request overview
Updates the GHSA record for Plexus-Utils (Directory Traversal in extractFile) to reflect that the fix was backported to the 3.6.x line, aligning the advisory’s affected-version metadata with the additional patched release.
Changes:
- Updated the advisory
modifiedtimestamp. - Added an additional
affectedentry indicating a fix in3.6.1(withlast_known_affected_version_rangeset to<= 3.6.0).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "database_specific": { | ||
| "last_known_affected_version_range": "<= 4.0.2" | ||
| } | ||
| }, | ||
| { |
There was a problem hiding this comment.
With the current data, the first affected entry uses introduced: 0 and fixed: 4.0.3, which implies all versions < 4.0.3 are vulnerable (including 3.6.1). Adding a second affected entry fixed at 3.6.1 won’t prevent 3.6.1 from still being flagged as affected by the first range. Please restructure the ranges so they’re non-overlapping (e.g., 3.x affected until 3.6.1, and 4.x affected from the first 4.x vulnerable release until 4.0.3), and adjust last_known_affected_version_range values to match.
There was a problem hiding this comment.
@copilot Fix it as you understand what I was attenting to do.
github-actions
Bot
deleted the
udengaardandersent-ELS-GHSA-6fmv-xxpf-w3cw
branch
Updates
Comments
Bug fix backported to 3.6.x branch
Release notes: https://github.com/codehaus-plexus/plexus-utils/releases/tag/plexus-utils-3.6.1