Charles Duffy

**Name of the Vulnerable Software and Affected Versions** Apache Maven maven-shared-utils versions prior to 3.3.3 **Description** The issue is related to the Commandline class in Apache Maven maven-shared-utils, which can emit double-quoted strings without proper escaping. This allows for shell injection attacks, potentially enabling a remote attacker to conduct code injection attacks in the command shell. **Recommendations** For versions prior to 3.3.3, update to version 3.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of double-quoted strings in the Commandline class until a patch is available. Restrict access to the Commandline class to minimize the risk of exploitation. Avoid using the Commandline class with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Plexus-utils versions prior to 3.0.16 **Description** The issue arises from the incorrect processing of double quoted strings, leading to command injection. This could allow a remote attacker to execute arbitrary commands. **Recommendations** For versions prior to 3.0.16, update to version 3.0.16 or later to resolve the issue. As a temporary workaround, consider restricting the use of double quoted strings in commands until a patch is applied.