CVE-2022-25914 - Vulnerability Details - OpenCVE

The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01495.

Key SSVC decision points have not yet been added.

Vendors	Products
Jib Project Subscribe	Jib Subscribe
Redhat Subscribe	Migration Toolkit Runtimes Subscribe

Configuration 1 [-]

cpe:2.3:a:jib_project:jib:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Migration Toolkit for Runtimes 1 on RHEL 8
org.jboss.windup-windup-openshift-parent	cpe:/a:redhat:migration_toolkit_runtimes:1.0::el8	RHSA-2023:0471	2023-01-26T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2022-6750	The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.
Github GHSA	GHSA-936v-cg49-m2g5	com.google.cloud.tools:jib-core vulnerable to Remote Code Execution (RCE)

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf
https://github.com/GoogleContainerTools/jib/pull/3744
https://nvd.nist.gov/vuln/detail/CVE-2022-25914
https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871
https://www.cve.org/CVERecord?id=CVE-2022-25914

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: snyk

Published: 2022-09-08T05:05:17.747601Z

Updated: 2024-09-17T00:11:32.255Z

Reserved: 2022-02-24T00:00:00

Link: CVE-2022-25914

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-08T05:15:07.497

Modified: 2024-11-21T06:53:12.377

Link: CVE-2022-25914

Redhat

Severity : Important

Publid Date: 2022-09-08T00:00:00Z

Links: CVE-2022-25914 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

{"containers": {"cna": {"affected": [{"product": "com.google.cloud.tools:jib-core", "vendor": "n/a", "versions": [{"lessThan": "0.22.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "altman"}], "datePublic": "2022-09-08T00:00:00", "descriptions": [{"lang": "en", "value": "The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Remote Code Execution (RCE)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-09-08T05:05:17", "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "shortName": "snyk"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/GoogleContainerTools/jib/pull/3744"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf"}], "title": "Remote Code Execution (RCE)", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "report@snyk.io", "DATE_PUBLIC": "2022-09-08T05:00:03.050962Z", "ID": "CVE-2022-25914", "STATE": "PUBLIC", "TITLE": "Remote Code Execution (RCE)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "com.google.cloud.tools:jib-core", "version": {"version_data": [{"version_affected": "<", "version_value": "0.22.0"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "altman"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Remote Code Execution (RCE)"}]}]}, "references": {"reference_data": [{"name": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871", "refsource": "MISC", "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871"}, {"name": "https://github.com/GoogleContainerTools/jib/pull/3744", "refsource": "MISC", "url": "https://github.com/GoogleContainerTools/jib/pull/3744"}, {"name": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf", "refsource": "MISC", "url": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T04:49:44.308Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/GoogleContainerTools/jib/pull/3744"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf"}]}]}, "cveMetadata": {"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730", "assignerShortName": "snyk", "cveId": "CVE-2022-25914", "datePublished": "2022-09-08T05:05:17.747601Z", "dateReserved": "2022-02-24T00:00:00", "dateUpdated": "2024-09-17T00:11:32.255Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jib_project:jib:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4D10246-5E7B-4F0F-8D86-B3457B03FEA9", "versionEndExcluding": "0.22.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input."}, {"lang": "es", "value": "El paquete com.google.cloud.tools:jib-core versiones anteriores a 0.22.0, es vulnerable a una ejecuci\u00f3n de c\u00f3digo remota (RCE) por medio de la funci\u00f3n isDockerInstalled, debido al intento de ejecutar la entrada"}], "id": "CVE-2022-25914", "lastModified": "2024-11-21T06:53:12.377", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "report@snyk.io", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-08T05:15:07.497", "references": [{"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf"}, {"source": "report@snyk.io", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GoogleContainerTools/jib/pull/3744"}, {"source": "report@snyk.io", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/GoogleContainerTools/jib/pull/3744"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871"}], "sourceIdentifier": "report@snyk.io", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}