[jira] [Updated] (MNG-7168) maven-shared-utils package is vulnerable to Command Injection

Fri, 11 Jun 2021 11:11:08 -0700 


     [ 
https://issues.apache.org/jira/browse/MNG-7168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Dwayne E Culbertson updated MNG-7168:
-------------------------------------
    Description: 
 

Project:[https://github.com/apache/maven-shared-utils/pull/40]
 Project:https://issues.apache.org/jira/browse/MSHARED-297

 

  was:
h4. EXPLANATION
The {{maven-shared-utils}} package is vulnerable to Command Injection. The 
constructor and {{unifyQuotes()}} method in the {{BourneShell}} class and the 
{{getRawCommandLine()}} and {{getShellCommandLine()}} methods in the {{Shell}} 
class fail to escape double-quoted arguments emitted from {{Commandline}}. A 
remote attacker can exploit this behavior to execute arbitrary commands by 
supplying a combination of shell metacharacters and commands via any affected 
input parameter.
h4. DETECTION
The application is vulnerable by using this component.
h4. RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to 
this specific issue.

Note: If this component is included as a bundled/transitive dependency of 
another component, there may not be an upgrade path. In this instance, we 
recommend contacting the maintainers who included the vulnerable package. 
Alternatively, we recommend investigating alternative components or a potential 
mitigating control.
h4. ROOT CAUSE
apache-maven-3.8.1-bin.zipapache-maven-3.8.1/lib/maven-shared-utils-3.2.1.jarorg/apache/maven/shared/utils/cli/shell/Shell.class(
 , 3.3.3)
h4. ADVISORIES
Project:[https://github.com/apache/maven-shared-utils/pull/40]
Project:https://issues.apache.org/jira/browse/MSHARED-297
h4. CVSS DETAILS
Sonatype CVSS 3:9.8
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

        Summary: maven-shared-utils package is vulnerable to Command Injection  
(was: SONATYPE-2020-0491)

> maven-shared-utils package is vulnerable to Command Injection
> -------------------------------------------------------------
>
>                 Key: MNG-7168
>                 URL: https://issues.apache.org/jira/browse/MNG-7168
>             Project: Maven
>          Issue Type: Bug
>            Reporter: Dwayne E Culbertson
>            Priority: Major
>              Labels: Security
>
>  
> Project:[https://github.com/apache/maven-shared-utils/pull/40]
>  Project:https://issues.apache.org/jira/browse/MSHARED-297
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to