2066479 – (CVE-2022-29599) CVE-2022-29599 maven-shared-utils: Command injection via Commandline class

Bug 2066479 (CVE-2022-29599) - CVE-2022-29599 maven-shared-utils: Command injection via Commandline class

Summary: CVE-2022-29599 maven-shared-utils: Command injection via Commandline class

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-29599
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2066480 Red Hat2068193 Red Hat2068630 Red Hat2068631 Red Hat2068632 Red Hat2068633 Red Hat2068634 Red Hat2068635 Red Hat2068636 Red Hat2068637 Red Hat2068638 Red Hat2068639 Red Hat2068640 Red Hat2068641 Red Hat2068642 Red Hat2068643 Red Hat2068644 Red Hat2068645 Red Hat2068646 Red Hat2068647 Red Hat2068648 Red Hat2068649 Red Hat2068650 Red Hat2068651 Red Hat2069081 Red Hat2070057 Red Hat2070058 Red Hat2070059
Blocks:	Embargoed2066481
TreeView+	depends on / blocked

Reported:	2022-03-21 21:29 UTC by Pedro Sampaio
Modified:	2023-05-21 00:46 UTC (History)
CC List:	107 users (show)
Fixed In Version:	maven-shared-utils 3.3.3
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.
Clone Of:
Environment:
Last Closed:	2022-05-02 12:45:32 UTC

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2022:1674	None	None	None	2022-05-02 18:12:04 UTC
Red Hat Product Errata	RHBA-2022:1707	None	None	None	2022-05-04 12:51:34 UTC
Red Hat Product Errata	RHBA-2022:4780	None	None	None	2022-05-26 12:43:09 UTC
Red Hat Product Errata	RHBA-2022:4837	None	None	None	2022-05-31 10:32:19 UTC
Red Hat Product Errata	RHBA-2022:4838	None	None	None	2022-05-31 10:45:05 UTC
Red Hat Product Errata	RHBA-2022:4878	None	None	None	2022-06-01 18:27:01 UTC
Red Hat Product Errata	RHBA-2022:4923	None	None	None	2022-06-07 09:14:58 UTC
Red Hat Product Errata	RHBA-2022:4995	None	None	None	2022-06-13 10:21:32 UTC
Red Hat Product Errata	RHBA-2022:4996	None	None	None	2022-06-13 10:22:00 UTC
Red Hat Product Errata	RHBA-2022:5007	None	None	None	2022-06-13 13:05:21 UTC
Red Hat Product Errata	RHBA-2023:0717	None	None	None	2023-02-09 19:57:21 UTC
Red Hat Product Errata	RHSA-2022:1541	None	None	None	2022-04-26 10:21:32 UTC
Red Hat Product Errata	RHSA-2022:1662	None	Closed	[BZ] When we try to fetch sosreport from server its getting hung.	2022-05-20 20:31:14 UTC
Red Hat Product Errata	RHSA-2022:4699	None	None	None	2022-05-23 11:57:06 UTC
Red Hat Product Errata	RHSA-2022:4797	None	None	None	2022-05-30 12:35:59 UTC
Red Hat Product Errata	RHSA-2022:4798	None	None	None	2022-05-30 12:59:27 UTC
Red Hat Product Errata	RHSA-2022:9098	None	None	None	2023-01-04 16:58:39 UTC
Red Hat Product Errata	RHSA-2023:0573	None	None	None	2023-02-09 12:47:31 UTC
Red Hat Product Errata	RHSA-2023:3198	None	None	None	2023-05-17 17:50:36 UTC

Description Pedro Sampaio 2022-03-21 21:29:09 UTC

org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven. Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules. 

References:

https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592
https://issues.apache.org/jira/browse/MSHARED-297
https://github.com/apache/maven-shared-utils/pull/40

Comment 1 Pedro Sampaio 2022-03-21 21:29:41 UTC

Created maven-shared-utils tracking bugs for this issue:

Affects: fedora-all [bug 2066480]

Comment 4 Mauro Matteo Cascella 2022-03-25 20:49:23 UTC

Upstream commit:
https://github.com/apache/maven-shared-utils/commit/f751e614c09df8de1a080dc1153931f3f68991c9

Comment 9 errata-xmlrpc 2022-04-26 10:21:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:1541 https://access.redhat.com/errata/RHSA-2022:1541

Comment 10 errata-xmlrpc 2022-05-02 08:02:35 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:1662 https://access.redhat.com/errata/RHSA-2022:1662

Comment 11 Product Security DevOps Team 2022-05-02 12:45:26 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-29599

Comment 12 errata-xmlrpc 2022-05-23 11:57:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:4699 https://access.redhat.com/errata/RHSA-2022:4699

Comment 13 errata-xmlrpc 2022-05-30 12:35:53 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support
  Red Hat Enterprise Linux 8
  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:4797 https://access.redhat.com/errata/RHSA-2022:4797

Comment 14 errata-xmlrpc 2022-05-30 12:59:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support
  Red Hat Enterprise Linux 8

Via RHSA-2022:4798 https://access.redhat.com/errata/RHSA-2022:4798

Comment 17 errata-xmlrpc 2023-01-04 16:58:34 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:9098 https://access.redhat.com/errata/RHSA-2022:9098

Comment 18 errata-xmlrpc 2023-02-09 12:47:27 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0573 https://access.redhat.com/errata/RHSA-2023:0573

Comment 22 errata-xmlrpc 2023-05-17 17:50:32 UTC

This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198

Note You need to log in before you can comment on or make changes to this bug.

abenaiss
aboyko
aileenc
alazarot
anstephe
asoldano
ataylor
avibelli
bbaranow
bbuckingham
bcourt
bgeorges
bmaxwell
boliveir
brian.stansberry
btotty
cdewolf
chazlett
clement.escoffier
cmoulliard
csutherl
dandread
darran.lofthouse
dkreling
dosoudil
drieden
ehelms
ellin
emingora
eric.wittmann
etirelli
ewolinet
fjansen
fjuma
ggastald
gmalinko
gmorling
gsmet
gzaronik
hamadhan
hbraun
hhorak
ibek
ikanello
iweiss
janstey
java-sig-commits
jcantril
jclere
jnethert
jochrist
jorton
jpechane
jrokos
jross
jschatte
jsherril
jstastny
jwon
kaycoth
krathod
kverlaen
lgao
lthon
lzap
mhulan
mizdebsk
mkoncek
mmccune
mnovotny
mosmerov
msochure
msvehla
mszynkie
myarboro
nmoumoul
nwallace
orabin
pantinor
pcreech
pdelbell
pdrozd
peholase
periklis
pgallagh
pjindal
pmackay
probinso
rareddy
rchan
rgodfrey
rguimara
rrajasek
rruss
rstancel
rsvoboda
sbiarozk
scorneli
sdouglas
shbose
smaestri
sthorger
swoodman
szappis
tom.jenkinson
tzimanyi
ytale