CVE-2023-40828

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-40828
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-40828.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-40828
Aliases
Downstream
Published
2023-08-28T22:15:09.713Z
Modified
2025-11-15T06:49:05.016794Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the expandIfZip method in the extract function.

References

Affected packages

Git / github.com/pf4j/pf4j

Affected ranges

Type
GIT
Repo
https://github.com/pf4j/pf4j
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72

Affected versions

release-0.*

release-0.1
release-0.10.0
release-0.11.0
release-0.12.0
release-0.13.0
release-0.13.1
release-0.2
release-0.3
release-0.4
release-0.5
release-0.6
release-0.7.0
release-0.7.1
release-0.8.0
release-0.9.0

release-1.*

release-1.0.0
release-1.1.0
release-1.1.1
release-1.2.0
release-1.3.0

release-2.*

release-2.0.0
release-2.1.0
release-2.2.0
release-2.3.0
release-2.4.0
release-2.5.0
release-2.6.0

release-3.*

release-3.0.0
release-3.0.1
release-3.1.0
release-3.2.0
release-3.3.0
release-3.3.1
release-3.4.0
release-3.4.1
release-3.5.0
release-3.6.0
release-3.7.0
release-3.8.0
release-3.9.0

Database specific

vanir_signatures

[
    {
        "digest": {
            "function_hash": "93519587189859715818483495297603083489",
            "length": 773.0
        },
        "target": {
            "file": "pf4j/src/main/java/org/pf4j/util/Unzip.java",
            "function": "extract"
        },
        "signature_version": "v1",
        "id": "CVE-2023-40828-48d4e522",
        "deprecated": false,
        "source": "https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72",
        "signature_type": "Function"
    },
    {
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "277155668553497263358062693738697809346",
                "257239922043687283949453947368287652654",
                "86817392627196210524855482190530912296",
                "26733247727247415302960925381518096862",
                "11370766003848014765876705634220555962",
                "69618502419056279954005342611630677335",
                "143631766747489501337603047995633727084",
                "289841109639072298874543481221008582605",
                "16432241586943895989575704631311575301",
                "139529361154163376205497213739362415514",
                "317506239328330091226204244050505091617",
                "320477343069773588417983806673281565470",
                "242875446038206692777978781637946577176",
                "188387110822814031866990973580258874114",
                "209597663770478291120820735986979013537",
                "254205335496276189952720118563915934054",
                "115977127239420693165133571944526772385"
            ]
        },
        "target": {
            "file": "pf4j/src/main/java/org/pf4j/util/Unzip.java"
        },
        "signature_version": "v1",
        "id": "CVE-2023-40828-d997f2cd",
        "deprecated": false,
        "source": "https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72",
        "signature_type": "Line"
    }
]