You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Dwayne E Culbertson (Jira)" <ji...@apache.org> on 2021/06/03 12:54:00 UTC

[jira] [Updated] (MNG-7168) SONATYPE-2020-0491

     [ https://issues.apache.org/jira/browse/MNG-7168?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dwayne E Culbertson updated MNG-7168:
-------------------------------------
    Labels: Security  (was: )

> SONATYPE-2020-0491
> ------------------
>
>                 Key: MNG-7168
>                 URL: https://issues.apache.org/jira/browse/MNG-7168
>             Project: Maven
>          Issue Type: Bug
>            Reporter: Dwayne E Culbertson
>            Priority: Major
>              Labels: Security
>
> h4. EXPLANATION
> The {{maven-shared-utils}} package is vulnerable to Command Injection. The constructor and {{unifyQuotes()}} method in the {{BourneShell}} class and the {{getRawCommandLine()}} and {{getShellCommandLine()}} methods in the {{Shell}} class fail to escape double-quoted arguments emitted from {{Commandline}}. A remote attacker can exploit this behavior to execute arbitrary commands by supplying a combination of shell metacharacters and commands via any affected input parameter.
> h4. DETECTION
> The application is vulnerable by using this component.
> h4. RECOMMENDATION
> We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
> Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
> h4. ROOT CAUSE
> apache-maven-3.8.1-bin.zipapache-maven-3.8.1/lib/maven-shared-utils-3.2.1.jarorg/apache/maven/shared/utils/cli/shell/Shell.class( , 3.3.3)
> h4. ADVISORIES
> Project:[https://github.com/apache/maven-shared-utils/pull/40]
> Project:https://issues.apache.org/jira/browse/MSHARED-297
> h4. CVSS DETAILS
> Sonatype CVSS 3:9.8
> CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



--
This message was sent by Atlassian Jira
(v8.3.4#803005)