CVE-2022-39224 - OpenCVE

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ruby-arr-pm Project	Ruby-arr-pm

Configuration 1 [-]

cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*

No data.

References

Link	Providers
https://github.com/jordansissel/ruby-arr-pm/pull/14
https://github.com/jordansissel/ruby-arr-pm/pull/15
https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-21T23:10:08

Updated: 2024-08-03T12:00:43.325Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39224

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-09-21T23:15:09.623

Modified: 2022-09-26T13:41:40.930

Link: CVE-2022-39224

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ruby-arr-pm", "vendor": "jordansissel", "versions": [{"status": "affected", "version": "< 0.0.12"}]}], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-21T23:10:08", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}], "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}, "title": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39224", "STATE": "PUBLIC", "TITLE": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ruby-arr-pm", "version": {"version_data": [{"version_value": "< 0.0.12"}]}}]}, "vendor_name": "jordansissel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "refsource": "CONFIRM", "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"name": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "refsource": "MISC", "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"name": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "refsource": "MISC", "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}]}, "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.325Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39224", "datePublished": "2022-09-21T23:10:08", "dateReserved": "2022-09-02T00:00:00", "dateUpdated": "2024-08-03T12:00:43.325Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "0DCB3286-980B-4B5B-8A8E-128C03D4B03F", "versionEndExcluding": "0.0.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}, {"lang": "es", "value": "Arr-pm es una biblioteca de lectura/escritura de RPM escrita en Ruby. Las versiones anteriores a 0.0.12 est\u00e1n sujetas a una inyecci\u00f3n de comandos del Sistema Operativo, resultando en una ejecuci\u00f3n de shell si el RPM contiene un campo \"payload compressor\" malicioso. Esta vulnerabilidad afecta a los m\u00e9todos \"extract\" y \"files\" de la clase \"RPM::File\" de esta biblioteca. La versi\u00f3n 0.0.12 parchea estos problemas. Una mitigaci\u00f3n para este problema es asegurarse de que cualquier RPM que es procedido contenga valores de compresores de carga \u00fatil v\u00e1lidos/conocidos como gzip, bzip2, xz, zstd y lzma. El campo del compresor de carga \u00fatil en un rpm puede comprobarse al usar la herramienta de l\u00ednea de comandos rpm"}], "id": "CVE-2022-39224", "lastModified": "2022-09-26T13:41:40.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-09-21T23:15:09.623", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}]}