CVE-2022-39243

Name of the Vulnerable Software and Affected Versions NuProcess versions 1.2.0 through 2.0.4

Description NuProcess is an external process execution implementation for Java that is vulnerable to command line injection attacks. Attackers can use NUL characters in their strings to inject command line arguments. This issue is specific to Linux and can be exploited due to the missing check in NuProcess, which is present in Java's ProcessBuilder. The vulnerability can only be exploited on Linux, as on macOS and Windows, any argument with a NUL character is truncated, preventing the malicious arguments from being seen by the started process.

Recommendations For NuProcess versions 1.2.0 through 2.0.4, update to version 2.0.5 to resolve the issue. As a temporary workaround for versions 1.2.0 through 2.0.4, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.