org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.
I think the class should just be deprecated and removed because there do not appear to be any users left (not even a test case).
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.
More information and reason for this action is here:
This is feature request and as such it has been forwarded upstream: http://jira.codehaus.org/browse/PLXUTILS-178
Fixed in upstream version 3.0.24