CVE-2022-29599
Aliases:GHSA-rhgr-952r-6p8q
Advisory lineage Upstream: 0 Downstream: 24
Modified
Published: 23 May 2022, 10:25
Last modified:03 Aug 2024, 06:26
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
0.26% LOW
0% probability -0.19%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
23 May 2022, 10:25
Published
Vulnerability first disclosed
03 Aug 2024, 06:26
Last Modified
Vulnerability information updated
Description
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 0.26%• Percentile: 49%
Techniques & Countermeasures
- CWE-116•Improper Encoding or Escaping of Output
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Affected Systems
- apache software foundation•apache maven
≥ maven-shared-utils, < 3.3.3
- apache•maven_shared_utils
< 3.3.3
- debian•debian_linux
10.0 | 11.0
- org.apache.maven.shared•maven-shared-utils
< 3.3.3
References (7)
- https://issues.apache.org/jira/browse/MSHARED-297
- https://github.com/apache/maven-shared-utils/pull/40
- http://www.openwall.com/lists/oss-security/2022/05/23/3
- https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html
- https://www.debian.org/security/2022/dsa-5242
- https://nvd.nist.gov/vuln/detail/CVE-2022-29599
- https://github.com/apache/maven-shared-utils