CVE-2022-29599 – Commandline class shell injection vulnerabilities

https://notcve.org/view.php?id=CVE-2022-29599

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. En Apache Maven maven-shared-utils versiones anteriores a 3.3.3, la clase Commandline puede emitir cadenas con comillas dobles sin un escape apropiado, permitiendo ataques de inyección de shell A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack. • http://www.openwall.com/lists/oss-security/2022/05/23/3 https://github.com/apache/maven-shared-utils/pull/40 https://issues.apache.org/jira/browse/MSHARED-297 https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html https://www.debian.org/security/2022/dsa-5242 https://access.redhat.com/security/cve/CVE-2022-29599 https://bugzilla.redhat.com/show_bug.cgi?id=2066479 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-116: Improper Encoding or Escaping of Output •