https://bugzilla.redhat.com/show_bug.cgi?id=2066479
Bug ID: 2066479
Summary: maven-shared-utils: Command injection via Commandline
class
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, asoldano(a)redhat.com,
bbaranow(a)redhat.com, bmaxwell(a)redhat.com,
brian.stansberry(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, darran.lofthouse(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, fjansen(a)redhat.com,
fjuma(a)redhat.com, ggastald(a)redhat.com,
ggaughan(a)redhat.com, gmalinko(a)redhat.com,
hhorak(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jochrist(a)redhat.com, jorton(a)redhat.com,
jwon(a)redhat.com, kaycoth(a)redhat.com,
krathod(a)redhat.com, lgao(a)redhat.com,
mizdebsk(a)redhat.com, mosmerov(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
nwallace(a)redhat.com, pjindal(a)redhat.com,
pmackay(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, sbiarozk(a)redhat.com,
smaestri(a)redhat.com, tom.jenkinson(a)redhat.com
Target Milestone: ---
Classification: Other
org.apache.maven.shared:maven-shared-utils is a functional replacement for
plexus-utils in Maven. Affected versions of this package are vulnerable to
Command Injection. The Commandline class can emit double-quoted strings without
proper escaping, allowing shell injection attacks. The BourneShell class should
unconditionally single-quote emitted strings (including the name of the command
itself being quoted), with {{'"'"'}} used for embedded single
quotes, for
maximum safety across shells implementing a superset of POSIX quoting rules.
References:
https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592
https://issues.apache.org/jira/browse/MSHARED-297
https://github.com/apache/maven-shared-utils/pull/40
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2066479