{"containers": {"cna": {"affected": [{"product": "Apache Maven", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "3.3.3", "status": "affected", "version": "maven-shared-utils", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "description": "CWE-116 Improper Encoding or Escaping of Output", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-28T08:18:19.534Z"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://issues.apache.org/jira/browse/MSHARED-297"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/apache/maven-shared-utils/pull/40"}, {"name": "[oss-security] 20220523 CVE-2022-29599: Apache Maven: Commandline class shell injection vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3"}, {"name": "[debian-lts-announce] 20220829 [SECURITY] [DLA 3086-1] maven-shared-utils security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html"}, {"name": "DSA-5242", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5242"}], "source": {"defect": ["MSHARED-297"], "discovery": "UNKNOWN"}, "title": "Commandline class shell injection vulnerabilities", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-29599", "STATE": "PUBLIC", "TITLE": "Commandline class shell injection vulnerabilities"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Maven", "version": {"version_data": [{"version_affected": "<", "version_name": "maven-shared-utils", "version_value": "3.3.3"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-116 Improper Encoding or Escaping of Output"}]}]}, "references": {"reference_data": [{"name": "https://issues.apache.org/jira/browse/MSHARED-297", "refsource": "MISC", "url": "https://issues.apache.org/jira/browse/MSHARED-297"}, {"name": "https://github.com/apache/maven-shared-utils/pull/40", "refsource": "MISC", "url": "https://github.com/apache/maven-shared-utils/pull/40"}, {"name": "[oss-security] 20220523 CVE-2022-29599: Apache Maven: Commandline class shell injection vulnerabilities", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3"}, {"name": "[debian-lts-announce] 20220829 [SECURITY] [DLA 3086-1] maven-shared-utils security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html"}, {"name": "DSA-5242", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5242"}]}, "source": {"defect": ["MSHARED-297"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:26:06.558Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://issues.apache.org/jira/browse/MSHARED-297"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/apache/maven-shared-utils/pull/40"}, {"name": "[oss-security] 20220523 CVE-2022-29599: Apache Maven: Commandline class shell injection vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3"}, {"name": "[debian-lts-announce] 20220829 [SECURITY] [DLA 3086-1] maven-shared-utils security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html"}, {"name": "DSA-5242", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5242"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-29599", "datePublished": "2022-05-23T10:25:10", "dateReserved": "2022-04-24T00:00:00", "dateUpdated": "2024-08-03T06:26:06.558Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:maven_shared_utils:*:*:*:*:*:*:*:*", "matchCriteriaId": "D6301EB5-EDF5-45DF-B9D0-2F0C314470D1", "versionEndExcluding": "3.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks."}, {"lang": "es", "value": "En Apache Maven maven-shared-utils versiones anteriores a 3.3.3, la clase Commandline puede emitir cadenas con comillas dobles sin un escape apropiado, permitiendo ataques de inyecci\u00f3n de shell"}], "id": "CVE-2022-29599", "lastModified": "2024-11-21T06:59:23.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-23T11:16:10.877", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3"}, {"source": "security@apache.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/apache/maven-shared-utils/pull/40"}, {"source": "security@apache.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/MSHARED-297"}, {"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5242"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/05/23/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/apache/maven-shared-utils/pull/40"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://issues.apache.org/jira/browse/MSHARED-297"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5242"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3610", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1686649756-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:6172", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1698294000-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0778", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1706515741-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:3622", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1686680473-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:6179", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1698292274-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0776", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-2-plugins-0:4.13.1706516346-1.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:7288", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1699356715-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2023-11-16T00:00:00Z"}, {"advisory": "RHSA-2024:0777", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1706516441-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:3198", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1683009941-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:6171", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1698299029-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0775", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1706516946-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2022:1541", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "maven-shared-utils-0:0.4-4.el7_9", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2022-04-26T00:00:00Z"}, {"advisory": "RHSA-2022:4797", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "maven:3.6-8060020220428115217.32bfc089", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:4798", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "maven:3.5-8060020220428102527.219351c9", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:4699", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "maven:3.5-8010020220428105208.6ece90b1", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-05-23T00:00:00Z"}, {"advisory": "RHSA-2022:4797", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "maven:3.6-8020020220428113059.6f73a675", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:4798", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "maven:3.5-8020020220428105255.1f11a1d9", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:4797", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "maven:3.6-8040020220428113925.2bbcd66f", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:4798", "cpe": "cpe:/a:redhat:rhel_eus:8.4", "package": "maven:3.5-8040020220428105311.b9dd3217", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2022-05-30T00:00:00Z"}, {"advisory": "RHSA-2022:9098", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "jenkins-2-plugins-0:4.10.1670851835-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2023-01-04T00:00:00Z"}, {"advisory": "RHSA-2023:0573", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-2-plugins-0:4.9.1674644684-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2023-02-09T00:00:00Z"}, {"advisory": "RHSA-2022:1662", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-maven36-maven-shared-utils-0:3.2.1-0.2.3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2022-05-02T00:00:00Z"}], "bugzilla": {"description": "maven-shared-utils: Command injection via Commandline class", "id": "2066479", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2066479"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-77", "details": ["In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.", "A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack."], "name": "CVE-2022-29599", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch6-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:amq_online:1", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat A-MQ Online"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat build of Apicurio Registry 2"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat build of Debezium 1"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_developer_studio:12.", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat CodeReady Studio 12"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Integration Camel K 1"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Integration Camel Quarkus 1"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat Integration Service Registry"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3", "fix_state": "Out of support scope", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Web Server 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat JBoss Web Server 5"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "Red Hat support for Spring Boot"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "maven-shared-utils", "product_name": "streams for Apache Kafka"}], "public_date": "2020-05-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-29599\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-29599"], "statement": "Red Hat Satellite ships Candlepin component, which uses the Tomcatjss module from the RHEL AppStream repository. In turn, Tomcatjss relies on Maven, which itself depends on affected Apache Maven Shared Utils. Due to the fact that Satellite does not directly use Apache Maven Shared Utils, or expose it in its code, it is considered not affected by the flaw. Satellite customers can resolve the security warning by updating to the fixed Apache Maven Shared Utils through the updated Maven module, which is available in the RHEL 8 AppStream repository. It's worth noting that this solution applies solely to RHEL 8, which supports modules exclusively, and it is not applicable to earlier versions including RHEL 7.", "threat_severity": "Important"}