Bugzilla – Bug 1198833
VUL-0: CVE-2022-29599: maven-shared-utils: Command injection via Commandline class
Last modified: 2022-06-20 11:15:30 UTC
rh#2066479 org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven. Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules. References: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592 https://issues.apache.org/jira/browse/MSHARED-297 https://github.com/apache/maven-shared-utils/pull/40 References: https://bugzilla.redhat.com/show_bug.cgi?id=2066479 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29599
Affected: - SUSE:SLE-15-SP2:Update/maven-shared-utils 3.2.1 - openSUSE:Factory/maven-shared-utils 3.2.1
This is an autogenerated message for OBS integration: This bug (1198833) was mentioned in https://build.opensuse.org/request/show/973672 Factory / maven-shared-utils