Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2022-29599

Public on 2022-05-03
Modified on 2023-01-18
Description

org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven. Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{\'"\'"\'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.

Severity
Critical
See what this means
CVSS v3 Base Score
9.8
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Core maven-shared-utils 2022-05-04 01:01 ALAS2-2022-1794
Amazon Linux 2023 maven-shared-utils 2023-02-17 20:46 ALAS2023-2023-077

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD CVSSv3 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2022-29599 Mitre: CVE-2022-29599 FAQs regarding Amazon Linux ALAS/CVE Severity