Zip Slip Vulnerability

As part of a broader research, the Snyk Security Research Team discovered an arbitrary file write generic vulnerability, that can be achieved using a specially crafted zip (or bzip2, gzip, tar, xz, war) archive, that holds path traversal filenames. So when the filename gets concatenated to the target extraction directory, if the extraction tool used does not make sufficient checks, the final path ends up outside of the target directory.

The Apache Maven team has been informed because the plexus-archiver library did not make sufficient checks and it is a library used by most of the packaging plugins. Affected versions of plexus-archiver are [,3.4]+[3.5], fixed versions are 3.4.1 & 3.6.0, with issue management plexus-archiver #87 and Snyk vulnerability report SNYK-JAVA-ORGCODEHAUSPLEXUS-31680

What parts of Maven are vulnerable?

Apache Maven itself is not vulnerable, since Maven doesn't unpack by itself: unpacking actions are done by plugins.

Reading malicious archives in memory is also not an issue, only when unpacking such archives to disk may cause issues, however in general Maven plugins don't unpack archives.

The issue is regarding malicious artifacts and we haven't been able to create such artifacts with our Maven plugins, hence there's no additional action required to prevent the creation of malicious archives at this level.

The following plugins use plexus-archiver to unpack dependencies to disk and have been identified as potential triggers for exposing the vulnerability. The matrix contains the name of the component/plugin, which versions are affected, which versions contain the fixed and the link to the corresponding issue.

plugin affected versions fixed version issue details
maven-dependency-plugin (,3.1.0] 3.1.1 MDEP-611 unpack and unpack-dependencies goals (not used unless configured explicitly)
maven-ear-plugin (,3.0.0] 3.0.1 MEAR-268 EAR modules feature (not used unless configured explicitly)
maven-javadoc-plugin [2.5,3.0.0] 3.0.1 MJAVADOC-520 resourcesArtifacts and includeDependencySources features (not used unless configured explicitly)
maven-war-plugin [2.1-alpha-1,3.2.0] 3.2.1 MWAR-416 overlay feature (active by default when packaging=war on dependencies with type=war)
maven-plugin-plugin [3.0,3.5.1] 3.5.2 MPLUGIN-338 scan dependencies sources for javadoc annotations (active by default when packaging=maven-plugin)

Apache Ant up to 1.9.11 has the same issue with its unzip task: it will be fixed in 1.9.12 857095da5153fd18504b46f276d84f1e76a66970.

Then following Maven plugins using Ant are affected:

plugin affected versions fixed version issue details
maven-antrun-plugin (,1.8] MANTRUN-214
maven-plugin-plugin:maven-script-ant [2.0,3.5.2] MPLUGIN-340 Ant Mojo Wrapper

Following plugins use plexus-archiver but are not affected since they only create archives:

  • maven-acr-plugin
  • maven-assembly-plugin
  • maven-ejb-plugin
  • maven-jar-plugin
  • maven-jlink-plugin
  • maven-rar-plugin
  • maven-repository-plugin
  • maven-site-plugin
  • maven-source-plugin

When are you affected by this vulnerability?

The vulnerability is like a Trojan Horse, the malicious archive must first enter the system, normally achieved with a downloaded of a dependency. Once downloaded there's no direct danger, the user must take some specific actions before becoming a victim. This only happens when all of the following criteria are met:

  • There's an archive available in a repository that is malicious.
  • Your Maven project or one of its dependencies must find the malicious jar interesting enough to add it as a dependency.
  • There must be a reason to unpack, as defined in the matrix above.
  • The OS must allow the unpack process to put the malicious file at the specified location.
  • The malicious file must be executed or used.

The cause can be described as a breach in the chain of trust. Adding a dependency does imply that you trust it, but also that you trust all of the indirect dependencies. If there's no trust, you better not add that dependency.