Search criteria
1 vulnerability by nuprocess_project
CVE-2022-39243 (GCVE-0-2022-39243)
Vulnerability from cvelistv5 – Published: 2022-09-26 13:25 – Updated: 2025-04-22 17:20
VLAI
Title
NuProcess vulnerable to command-line injection through insertion of NUL character(s)
Summary
NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.
Severity
8.4 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/brettwooldridge/NuProcess/secu… | x_refsource_CONFIRM |
| https://github.com/brettwooldridge/NuProcess/pull/143 | x_refsource_MISC |
| https://github.com/brettwooldridge/NuProcess/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brettwooldridge | NuProcess |
Affected:
>= 1.2.0, < 2.0.5
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:00:43.337Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brettwooldridge/NuProcess/pull/143"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-39243",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:21.285384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:20:18.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "NuProcess",
"vendor": "brettwooldridge",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.2.0, \u003c 2.0.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM\u0027s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java\u0027s ProcessBuilder isn\u0027t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-26T13:25:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brettwooldridge/NuProcess/pull/143"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868"
}
],
"source": {
"advisory": "GHSA-cxgf-v2p8-7ph7",
"discovery": "UNKNOWN"
},
"title": "NuProcess vulnerable to command-line injection through insertion of NUL character(s)",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-39243",
"STATE": "PUBLIC",
"TITLE": "NuProcess vulnerable to command-line injection through insertion of NUL character(s)"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "NuProcess",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.2.0, \u003c 2.0.5"
}
]
}
}
]
},
"vendor_name": "brettwooldridge"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM\u0027s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java\u0027s ProcessBuilder isn\u0027t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7",
"refsource": "CONFIRM",
"url": "https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7"
},
{
"name": "https://github.com/brettwooldridge/NuProcess/pull/143",
"refsource": "MISC",
"url": "https://github.com/brettwooldridge/NuProcess/pull/143"
},
{
"name": "https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868",
"refsource": "MISC",
"url": "https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868"
}
]
},
"source": {
"advisory": "GHSA-cxgf-v2p8-7ph7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-39243",
"datePublished": "2022-09-26T13:25:11.000Z",
"dateReserved": "2022-09-02T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:20:18.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}