CVE-2023-34112

JavaCPP project actions vulnerable to code injection

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution.

JavaCPP Presets es un proyecto que proporciona distribuciones Java de librerías C++ nativas. Todas las acciones en el "bytedeco/javacpp-presets" utilizan el parámetro "github.event.head_commit.message?" de forma insegura. Por ejemplo, el mensaje de confirmación se utiliza en una sentencia de ejecución, lo que resulta en una vulnerabilidad de inyección de comandos debido a la interpolación de cadenas. No se ha informado de ninguna explotación. Este problema se ha solucionado en la versión 1.5.9. Se recomienda a los usuarios de JavaCPP Presets que actualicen como medida de precaución.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-05-25 CVE Reserved
2023-06-08 CVE Published
2024-06-14 EPSS Updated
2024-08-02 CVE Updated
2024-08-02 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-94: Improper Control of Generation of Code ('Code Injection')

CAPEC

References (2)

URL	Tag	Source

URL	Date	SRC
https://securitylab.github.com/research/github-actions-untrusted-input	2024-08-02

URL	Date	SRC

URL	Date	SRC
https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bytedeco Search vendor "Bytedeco"		Javacpp Presets Search vendor "Bytedeco" for product "Javacpp Presets"				< 1.5.9 Search vendor "Bytedeco" for product "Javacpp Presets" and version " < 1.5.9"		-		Affected