GHSA-CXGF-V2P8-7PH7

Vulnerability from github – Published: 2022-09-30 04:29 – Updated: 2022-09-30 04:29
VLAI
Summary
NuProcess vulnerable to command-line injection through insertion of NUL character(s)
Details

Impact

In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check.

This vulnerability can only be exploited to inject command line arguments on Linux. - On macOS, any argument with a NUL character is truncated at that character. This means the malicious arguments are never seen by the started process. - On Windows, the entire command line is truncated at the first NUL character. This means the malicious arguments, and any intentional arguments provided after them, are never seen by the started process.

Patches

2.0.5

Workarounds

Users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

References

None.

Severity
8.4 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.zaxxer:nuprocess"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2.0"
            },
            {
              "fixed": "2.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-39243"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-09-30T04:29:11Z",
    "nvd_published_at": "2022-09-26T14:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn all the versions of NuProcess where it forks processes by using the JVM\u0027s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java\u0027s ProcessBuilder isn\u0027t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check.\n\nThis vulnerability can only be exploited to inject command line arguments on Linux.\n- On macOS, any argument with a NUL character is truncated at that character. This means the malicious arguments are never seen by the started process.\n- On Windows, the entire command line is truncated at the first NUL character. This means the malicious arguments, and any intentional arguments provided after them, are never seen by the started process.\n\n### Patches\n2.0.5\n\n### Workarounds\nUsers of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.\n\n### References\nNone.\n",
  "id": "GHSA-cxgf-v2p8-7ph7",
  "modified": "2022-09-30T04:29:11Z",
  "published": "2022-09-30T04:29:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brettwooldridge/NuProcess/pull/143"
    },
    {
      "type": "WEB",
      "url": "https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/brettwooldridge/NuProcess"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NuProcess vulnerable to command-line injection through insertion of NUL character(s)"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.