Amazon Linux 2023 Security Advisory: ALAS-2023-077
Advisory Release Date: 2023-02-17 20:46 Pacific
Advisory Updated Date: 2023-02-22 23:30 Pacific
Severity:
Critical
Issue Overview:
org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven. Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{\'"\'"\'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules. (CVE-2022-29599)
Affected Packages:
maven-shared-utils
Issue Correction:
Run dnf update maven-shared-utils --releasever=2023.0.20230222 to update your system.
New Packages:
noarch:
maven-shared-utils-3.3.4-4.amzn2023.0.3.noarch
maven-shared-utils-javadoc-3.3.4-4.amzn2023.0.3.noarch
src:
maven-shared-utils-3.3.4-4.amzn2023.0.3.src