CVE-2022-29599

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache Maven maven-shared-utils versions prior to 3.3.3

Description The issue is related to the Commandline class in Apache Maven maven-shared-utils, which can emit double-quoted strings without proper escaping. This allows for shell injection attacks, potentially enabling a remote attacker to conduct code injection attacks in the command shell.

Recommendations For versions prior to 3.3.3, update to version 3.3.3 or later to resolve the issue. As a temporary workaround, consider disabling the use of double-quoted strings in the Commandline class until a patch is available. Restrict access to the Commandline class to minimize the risk of exploitation. Avoid using the Commandline class with untrusted input until the issue is resolved.

Fix

Command Injection

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77CWE-116

Related Identifiers

ALSA-2022:4797

ALSA-2022:4798

ALT-PU-2022-2160

BDU:2024-03775

CESA-2022_4797

CESA-2022_4798

CVE-2022-29599

DLA-3059-1

DLA-3086-1

DSA-5242-1

GHSA-RHGR-952R-6P8Q

OESA-2022-1684

OPENSUSE-SU-2024:12027-1

RHSA-2022:1541

RHSA-2022:1662

RHSA-2022:4699

RHSA-2022:4797

RHSA-2022:4798

RHSA-2022:9098

RHSA-2022_1541

RHSA-2022_4797

RHSA-2022_4798

RHSA-2023:0573

RHSA-2023:3198

RHSA-2023:3610

RHSA-2023:3622

RHSA-2023:6171

RHSA-2023:6172

RHSA-2023:6179

RHSA-2023:7288

RHSA-2024:0775

RHSA-2024:0776

RHSA-2024:0777

RHSA-2024:0778

RLSA-2022:4797

RLSA-2022:4798

USN-6730-1

Affected Products

Alt Linux

Almalinux

Apache Maven Maven-Shared-Utils

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2022-29599

Weakness Enumeration

Related Identifiers

Affected Products

References · 47