Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-29599

Опубликовано: 29 мая 2020
Источник: redhat
CVSS3: 9.8
EPSS Низкий

Описание

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.

Отчет

Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
A-MQ Clients 2maven-shared-utilsNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/elasticsearch6-rhel8Not affected
Red Hat AMQ Broker 7maven-shared-utilsNot affected
Red Hat A-MQ Onlinemaven-shared-utilsNot affected
Red Hat build of Apicurio Registry 2maven-shared-utilsNot affected
Red Hat build of Debezium 1maven-shared-utilsNot affected
Red Hat build of Quarkusmaven-shared-utilsNot affected
Red Hat CodeReady Studio 12maven-shared-utilsOut of support scope
Red Hat Data Grid 8maven-shared-utilsNot affected
Red Hat Decision Manager 7maven-shared-utilsNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-77
https://bugzilla.redhat.com/show_bug.cgi?id=2066479maven-shared-utils: Command injection via Commandline class

EPSS

Процентиль: 59%
0.00395
Низкий

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-29599

CVSS3: 9.8
ubuntu
около 3 лет назад

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

nvd логотип

CVE-2022-29599

CVSS3: 9.8
nvd
около 3 лет назад

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

debian логотип

CVE-2022-29599

CVSS3: 9.8
debian
около 3 лет назад

In Apache Maven maven-shared-utils prior to version 3.3.3, the Command ...

redos логотип

ROS-20240503-19

CVSS3: 9.8
redos
около 1 года назад

Уязвимость maven-shared-utils

rocky логотип

RLSA-2022:4798

rocky
около 3 лет назад

Important: maven:3.5 security update

EPSS

Процентиль: 59%
0.00395
Низкий

9.8 Critical

CVSS3