High severityNVD Advisory· Published Sep 25, 2023· Updated Aug 3, 2024

Codehaus-plexus: directory traversal

CVE-2022-4244

Description

A directory traversal vulnerability in codehaus-plexus allows remote attackers to read arbitrary files via crafted path sequences.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A directory traversal vulnerability in codehaus-plexus allows remote attackers to read arbitrary files via crafted path sequences.

Vulnerability

Overview CVE-2022-4244 is a directory traversal flaw in the codehaus-plexus project, specifically in the plexus-utils component. The vulnerability allows an attacker to manipulate file paths using dot-dot-slash (../) sequences or absolute file paths to access files outside the intended directory [1][2].

Attack

Vector This vulnerability is network-exploitable with low complexity, requiring no authentication or user interaction. An attacker can send crafted requests to the vulnerable application to traverse the file system [3].

Impact

Successful exploitation enables an attacker to read arbitrary files on the server, including application source code and configuration files. However, access is limited to the file system permissions of the application user, typically resulting in limited confidentiality impact [3]. Red Hat rated this as Important severity [4].

Mitigation

Patches are available in later versions of plexus-utils. Red Hat included a fix in their Camel K 1.10.1 security update (RHSA-2023:3906) [4]. Users should update to the latest patched version to mitigate this vulnerability.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.codehaus.plexus:plexus-utilsMaven	< 3.0.24	3.0.24

Affected products

Red Hat/Red Hat JBoss A-MQ 7v5
cpe:/a:redhat:amq_broker:7
Red Hat/A-MQ Clients 2v5
cpe:/a:redhat:a_mq_clients:2
Red Hat/Red Hat A-MQ Onlinev5
cpe:/a:redhat:amq_online:1
Red Hat/RHINT Camel-K-1.10.1v5
cpe:/a:redhat:camel_k:1
Red Hat/Red Hat Integration Camel Quarkusv5
cpe:/a:redhat:camel_quarkus:2
Red Hat/Build Of Apache Camel For Spring Bootcpe-rescue
cpe:/a:redhat:camel_spring_boot:3
Red Hat/Red Hat Integration Change Data Capturev5
cpe:/a:redhat:integration:1
Red Hat/Red Hat JBoss Data Grid 7v5
cpe:/a:redhat:jboss_data_grid:7
Red Hat/Red Hat Data Grid 8v5
cpe:/a:redhat:jboss_data_grid:8
Red Hat/Jboss Enterprise Application Platform Expansion Packcpe-rescue
cpe:/a:redhat:jbosseapxp
Red Hat/Jboss Enterprise Application Platformcpe-rescue2 versions
cpe:/a:redhat:jboss_enterprise_application_platform:6+ 1 more
- cpe:/a:redhat:jboss_enterprise_application_platform:6
- cpe:/a:redhat:jboss_enterprise_application_platform:7
Red Hat/Process Automationcpe-rescue
cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Red Hat/RHPAM 7.13.1 asyncv5
cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
Red Hat/Red Hat Decision Manager 7v5
cpe:/a:redhat:jboss_enterprise_brms_platform:7
Red Hat/Jboss Enterprise Web Servercpe-rescue2 versions
cpe:/a:redhat:jboss_enterprise_web_server:3+ 1 more
- cpe:/a:redhat:jboss_enterprise_web_server:3
- cpe:/a:redhat:jboss_enterprise_web_server:5
Red Hat/Red Hat JBoss Fuse 6v5
cpe:/a:redhat:jboss_fuse:6
Red Hat/Red Hat JBoss Fuse 7v5
cpe:/a:redhat:jboss_fuse:7
Red Hat/Jboss Fuse Service Workscpe-rescue
cpe:/a:redhat:jboss_fuse_service_works:6
Red Hat/Red Hat support for Spring Bootv5
cpe:/a:redhat:openshift_application_runtimes:1.0
Red Hat/Red Hat build of Quarkusv5
cpe:/a:redhat:quarkus:2
Red Hat/Single Sign Oncpe-rescue
cpe:/a:redhat:red_hat_single_sign_on:7
Red Hat/Software Collectionscpe-rescue
cpe:/a:redhat:rhel_software_collections:3
Red Hat/Red Hat Integration Service Registryv5
cpe:/a:redhat:service_registry:2
Red Hat/Enterprise Linux Servercpe-rescue3 versions
cpe:/o:redhat:enterprise_linux:7+ 2 more
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:8
- cpe:/o:redhat:enterprise_linux:9
ghsa-coords
pkg:maven/org.codehaus.plexus/plexus-utils
Range: < 3.0.24

Patches

33a2853df818

o Updated to guard against directory traversal issues.

https://github.com/codehaus-plexus/plexus-utilsChristian SchulteMay 7, 2016via ghsa

commit

1 file changed · +6 −0

src/main/java/org/codehaus/plexus/util/Expand.java+6 −0 modified

@@ -136,6 +136,12 @@ protected void extractFile( File srcF, File dir, InputStream compressedInputStre
         throws Exception
     {
         File f = FileUtils.resolveFile( dir, entryName );
+
+        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+        {
+            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+        }
+
         try
         {
             if ( !overwrite && f.exists() && f.lastModified() >= entryDate.getTime() )

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2023:2135ghsavendor-advisoryx_refsource_REDHATWEB
access.redhat.com/errata/RHSA-2023:3906ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-g6ph-x5wf-g337ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-4244ghsaADVISORY
access.redhat.com/security/cve/CVE-2022-4244ghsavdb-entryx_refsource_REDHATWEB
bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
github.com/codehaus-plexus/plexus-utils/commit/33a2853df8185b4519b1b8bfae284f03392618efghsaWEB
github.com/codehaus-plexus/plexus-utils/issues/4ghsaWEB
security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31521ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000