[
https://issues.apache.org/jira/browse/MSHARED-959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17202813#comment-17202813
]
Hudson commented on MSHARED-959:
--------------------------------
Build succeeded in Jenkins: Maven » Maven TLP » maven-common-artifact-filters »
master #22
See
https://ci-builds.apache.org/job/Maven/job/maven-box/job/maven-common-artifact-filters/job/master/22/
> Upgrade Maven Shared Utils to 3.3.3
> -----------------------------------
>
> Key: MSHARED-959
> URL: https://issues.apache.org/jira/browse/MSHARED-959
> Project: Maven Shared Components
> Issue Type: Dependency upgrade
> Components: maven-common-artifact-filters
> Reporter: Sylwester Lachiewicz
> Assignee: Sylwester Lachiewicz
> Priority: Minor
> Fix For: maven-common-artifact-filters-3.1.1
>
>
> Affected versions of this package are vulnerable to Command Injection. The
> {{Commandline}} class can emit double-quoted strings without proper escaping,
> allowing shell injection attacks. The {{BourneShell}} class should
> unconditionally single-quote emitted strings (including the name of the
> command itself being quoted), with {{{\{'"'"'}}}} used for embedded single
> quotes, for maximum safety across shells implementing a superset of POSIX
> quoting rules.
> This is a similar issue to
> [{{SNYK-JAVA-ORGCODEHAUSPLEXUS-31522}}|https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
