[Bug 2066479] New: maven-shared-utils: Command injection via Commandline class

[Bug 2019329] New: nosync.so is...

[Bug 2126789] New: CVE-2022-25857...

bugzilla＠redhat.com

Monday, 21 March 2022 Mon, 21 Mar '22

4:29 p.m.

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Bug ID: 2066479 Summary: maven-shared-utils: Command injection via Commandline class Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: psampaio(a)redhat.com CC: aileenc(a)redhat.com, asoldano(a)redhat.com, bbaranow(a)redhat.com, bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com, cdewolf(a)redhat.com, chazlett(a)redhat.com, darran.lofthouse(a)redhat.com, dkreling(a)redhat.com, dosoudil(a)redhat.com, drieden(a)redhat.com, fjansen(a)redhat.com, fjuma(a)redhat.com, ggastald(a)redhat.com, ggaughan(a)redhat.com, gmalinko(a)redhat.com, hhorak(a)redhat.com, iweiss(a)redhat.com, janstey(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jochrist(a)redhat.com, jorton(a)redhat.com, jwon(a)redhat.com, kaycoth(a)redhat.com, krathod(a)redhat.com, lgao(a)redhat.com, mizdebsk(a)redhat.com, mosmerov(a)redhat.com, msochure(a)redhat.com, msvehla(a)redhat.com, nwallace(a)redhat.com, pjindal(a)redhat.com, pmackay(a)redhat.com, rstancel(a)redhat.com, rsvoboda(a)redhat.com, sbiarozk(a)redhat.com, smaestri(a)redhat.com, tom.jenkinson(a)redhat.com Target Milestone: --- Classification: Other org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven. Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules. References: https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592 https://issues.apache.org/jira/browse/MSHARED-297 https://github.com/apache/maven-shared-utils/pull/40 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

Show replies by date

bugzilla＠redhat.com

Monday, 21 March Mon, 21 Mar

4:29 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2066480 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2066480 [Bug 2066480] maven-shared-utils: Command injection via Commandline class [fedora-all] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

4:29 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 --- Comment #1 from Pedro Sampaio <psampaio(a)redhat.com> --- Created maven-shared-utils tracking bugs for this issue: Affects: fedora-all [bug 2066480] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

4:30 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2061553 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

4:31 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2061553 | -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

4:31 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Pedro Sampaio <psampaio(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2066481 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Thursday, 24 March Thu, 24 Mar

10:52 a.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 juneau(a)redhat.com changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2068193 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Friday, 25 March Fri, 25 Mar

11:54 a.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |maven-shared-utils 3.3.3 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

3:43 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2068643, 2068650, 2068631, | |2068651, 2068637, 2068641, | |2068644, 2068649, 2068639, | |2068633, 2068635, 2068647, | |2068640, 2068645, 2068642, | |2068630, 2068632, 2068646, | |2068638, 2068648, 2068634, | |2068636 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

3:49 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 --- Comment #4 from Mauro Matteo Cascella <mcascell(a)redhat.com> --- Upstream commit: https://github.com/apache/maven-shared-utils/commit/f751e614c09df8de1a080... -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Monday, 28 March Mon, 28 Mar

3:35 a.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Mauro Matteo Cascella <mcascell(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2069081 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Wednesday, 30 March Wed, 30 Mar

6:49 a.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Vipul Nair <vinair(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2070059, 2070057, 2070058 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Thursday, 21 April Thu, 21 Apr

5:15 a.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Bug 2066479 depends on bug 2066480, which changed state. Bug 2066480 Summary: maven-shared-utils: Command injection via Commandline class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2066480 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Friday, 22 April Fri, 22 Apr

5:06 p.m.

New subject: [Bug 2066479] maven-shared-utils: Command injection via Commandline class

https://bugzilla.redhat.com/show_bug.cgi?id=2066479 Bug 2066479 depends on bug 2066480, which changed state. Bug 2066480 Summary: maven-shared-utils: Command injection via Commandline class [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2066480 What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|NOTABUG |--- -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2066479

bugzilla＠redhat.com

Monday, 25 April Mon, 25 Apr

7:09 a.m.