CVE-2022-29599

Summary

CVE	CVE-2022-29599
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-05-23 11:16:00 UTC
Updated	2023-09-28 09:15:00 UTC
Description	In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

Risk And Classification

Problem Types: CWE-116

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Maven Shared Utils	All	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	11.0	All	All	All

References

Reference	Source	Link	Tags
Debian -- Security Information -- DSA-5242-1 maven-shared-utils	DEBIAN	www.debian.org
oss-security - CVE-2022-29599: Apache Maven: Commandline class shell injection vulnerabilities	MLIST	www.openwall.com
[MSHARED-297] Commandline class shell injection vulnerabilities - ASF JIRA	MISC	issues.apache.org
[SECURITY] [DLA 3086-1] maven-shared-utils security update	MLIST	lists.debian.org
[MSHARED-297] Unconditionally single quote executable and arguments by roxspring · Pull Request #40 · apache/maven-shared-utils · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

150735 Oracle WebLogic Server Multiple Vulnerabilities (CPU - OCT2023)
159774 Oracle Enterprise Linux Security Update for maven-shared-utils (ELSA-2022-1541)
159871 Oracle Enterprise Linux Security Update for maven:3.6 (ELSA-2022-4797)
159872 Oracle Enterprise Linux Security Update for maven:3.5 (ELSA-2022-4798)
179872 Debian Security Update for maven-shared-utils (DLA 3059-1)
180977 Debian Security Update for maven-shared-utils (DLA 3086-1)
181084 Debian Security Update for maven-shared-utils (DSA 5242-1)
184012 Debian Security Update for maven-shared-utils (CVE-2022-29599)
200249 Ubuntu Security Notification for Apache Maven Shared Utils Vulnerability (USN-6730-1)
240250 Red Hat Update for maven-shared-utils (RHSA-2022:1541)
240258 Red Hat Update for rh-maven36-maven-shared-utils (RHSA-2022:1662)
240375 Red Hat Update for maven:3.5 (RHSA-2022:4798)
240376 Red Hat Update for maven:3.6 (RHSA-2022:4797)
241035 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:9098)
241183 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2023:0573)
282656 Fedora Security Update for maven (FEDORA-2022-5d6aaab56e)
353291 Amazon Linux Security Advisory for maven-shared-utils : ALAS2-2022-1794
354325 Amazon Linux Security Advisory for maven-shared-utils : ALAS2022-2022-242
354345 Amazon Linux Security Advisory for maven-shared-utils : ALAS2022-2022-060
354531 Amazon Linux Security Advisory for maven-shared-utils : ALAS-2022-242
355249 Amazon Linux Security Advisory for maven-shared-utils : ALAS2023-2023-077
377108 Alibaba Cloud Linux Security Update for maven:3.6 (ALINUX3-SA-2022:0160)
770169 Red Hat OpenShift Container Platform 4.10 Security Update (RHSA-2022:9098)
770174 Red Hat OpenShift Container Platform 4.9. Security Update (RHSA-2023:0573)
87548 Oracle WebLogic Server Multiple Vulnerabilities (CPUOCT2023)
940582 AlmaLinux Security Update for maven:3.6 (ALSA-2022:4797)
940587 AlmaLinux Security Update for maven:3.5 (ALSA-2022:4798)
960191 Rocky Linux Security Update for maven:3.6 (RLSA-2022:4797)
960278 Rocky Linux Security Update for maven:3.5 (RLSA-2022:4798)