CVE-2022-29599 — Improper Encoding or Escaping of Output in Software Foundation Apache Maven

CWE-116 — Improper Encoding or Escaping of Output CWE-77 — Command Injection10 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.4%

top 39.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Maven Apache Maven Shared Utils Debian Linux

Timeline

PublishedMay 23

Latest updateApr 11

Description

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDapache/maven_shared_utils< 3.3.3

▶CVEListV5apache_software_foundation/apache_mavenmaven-shared-utils — 3.3.3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.com ↗Patch: issues.apache.org ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Command injection in Apache Maven maven-shared-utils↗2022-05-24

▶

GHSA

Command injection in Apache Maven maven-shared-utils↗2022-05-24

▶

CVEList

Commandline class shell injection vulnerabilities↗2022-05-23

▶

OSV

CVE-2022-29599: In Apache Maven maven-shared-utils prior to version 3↗2022-05-23

▶

📋Vendor Advisories

Ubuntu

Apache Maven Shared Utils vulnerability↗2024-04-11

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Centralized Thirdparty Jars (Apache Maven Shared Utils) — CVE-2022-29599↗2023-10-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Third Party (Apache Maven) — CVE-2022-29599↗2023-04-15

▶

Debian

CVE-2022-29599: maven-shared-utils - In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class...↗2022

▶

Red Hat

maven-shared-utils: Command injection via Commandline class↗2020-05-29

▶