CVE-2017-1000487
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-1000487.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-1000487
- Aliases
- Downstream
- Related
- Published
- 2018-01-03T20:29:00Z
- Modified
- 2025-10-15T08:36:11.092077Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
- References
-
- https://access.redhat.com/errata/RHSA-2018:1322
- https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
- https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html
- https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
- https://www.debian.org/security/2018/dsa-4146
- https://www.debian.org/security/2018/dsa-4149
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
Affected packages
Git / github.com/codehaus-plexus/plexus-utils
Affected ranges
- Type
- GIT
- Repo
- https://github.com/codehaus-plexus/plexus-utils
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
plexus-utils-2.*
plexus-utils-2.0.7
plexus-utils-2.1
plexus-utils-3.*
plexus-utils-3.0
plexus-utils-3.0.1
plexus-utils-3.0.10
plexus-utils-3.0.11
plexus-utils-3.0.12
plexus-utils-3.0.13
plexus-utils-3.0.14
plexus-utils-3.0.15
plexus-utils-3.0.2
plexus-utils-3.0.3
plexus-utils-3.0.4
plexus-utils-3.0.5
plexus-utils-3.0.6
plexus-utils-3.0.7
plexus-utils-3.0.8
plexus-utils-3.0.9
Database specific
vanir_signatures
[
{
"id": "CVE-2017-1000487-02fb605b",
"deprecated": false,
"digest": {
"line_hashes": [
"300799970982068015982431037008041195086",
"104676368707797886347384246451253523428",
"162346545987340120690720711533396833634",
"67598624732669161930637271996319015448",
"207745034413981090703372942108334909329",
"200989870876524342534428753293969201746",
"140351054116545176855270093950742554258",
"216858197118834227521071144975071977065",
"67661911869677207178233261896575301568",
"305820704747279464979485562232562154954",
"319544270405357518845780270084338555247",
"173099726432875169567666693757411034115",
"285475526510075422052788660232655247777",
"192060110213693258689441169939565831557",
"99189173883135506272230103145987586947",
"24934156606211279344995154497674790516",
"54406988797198545216355706718551458339",
"7717133447410990880821574672260862477",
"286627158450329675767002972682036764416",
"217107724011426553366081138219920659428",
"22132108982777781368150828813772176429",
"305325230576796526419679502293788705604",
"46484743183609010269019381491570960566",
"336290306340757305620549721204299277864",
"39144991994285324332998631062327778325",
"215948012795257716838605863262704722315",
"221733053921728608672842611073437964976",
"125077954493002993460738224621212032030",
"31132798232780144061992833484444962026",
"333178855125170181232599168362445363997",
"231857808611946931778050423570965868491",
"83851115173377586090612255287583890797",
"162250303065076345261209492967712625715",
"264751428289959259740596146253211352803",
"15827968120897778693992378133578887381",
"248280553452405849085166451402542214356",
"306296295192740195911351040919143857613",
"134719570181542193618263823151111295437",
"222528643462955454669631882567314972746",
"253646862163839839850827744536057064692",
"216451383950582534538977614945257698392",
"43552458198366550128089465039349862823",
"302640542209010748092284586731033209246",
"308858535711491574819492266531964542997"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/Commandline.java"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2017-1000487-2563cf2f",
"deprecated": false,
"digest": {
"length": 868.0,
"function_hash": "245328568726289761535579372425817308010"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java",
"function": "getRawCommandLine"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-25f1cd38",
"deprecated": false,
"digest": {
"line_hashes": [
"279318192494055280893864218865251420718",
"10885823087519446278830464154190954428",
"339637272527835449592538332722503032483",
"315341723640956645557047926618482323876",
"11020193414079140304210406700743936311",
"15248381420429985469351059600632181081",
"69770402220552774331030142290272573282",
"182876066750053336804266707895898638834",
"175520929032102173996312984351110011285",
"236557089223711662977294659461117831717",
"61792606937303249130203737506050334912",
"143517943469409887434271931290580296871",
"254274144236442360004152979803939331552",
"98275859908661230726342158759884345443",
"100919086091100649668389946948189332540",
"48101020662085164544104040221404613114",
"319067707487987508848485175619250365847",
"287959877349089530942877573757282162633",
"94781417977212615898780281351549754304",
"32245080349303680897547383509784681707",
"167381137560759913773544447093179373907",
"204778344005468556975933891282171460392",
"118399976537918844451770361318630942758",
"225479027823873198693388548368672540232",
"177507711899775162265388380544713547463",
"131525387911331961278352187004043909631",
"242300683975749043600876242348747130671",
"205732003330485726840487497172040002438",
"229386760563428956916270966371945231783",
"116079380353084399668749993807168146370",
"242300683975749043600876242348747130671",
"183679823968295882621379682585654302187",
"5801842194203685961815971014576406082",
"197693002550403722870652616728087716652",
"179669615772033602463600740091432627860",
"188996999043343786163141981004460679325",
"57624416196709235973054567144272631285",
"282506764841889541995609711624856018110"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2017-1000487-365f05ce",
"deprecated": false,
"digest": {
"length": 662.0,
"function_hash": "168614751941132427320005685092623568012"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/Commandline.java",
"function": "execute"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-4c0e2f75",
"deprecated": false,
"digest": {
"length": 1191.0,
"function_hash": "84865574263062004234128658204635859208"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testBourneShellQuotingCharacters"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-4e454f42",
"deprecated": false,
"digest": {
"length": 486.0,
"function_hash": "125637259555581299840097572896638717728"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java",
"function": "testGetShellCommandLineBash_WithSingleQuotedArg"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-50ddf289",
"deprecated": false,
"digest": {
"line_hashes": [
"24747907030602044412412141753936611263",
"29738323904320518379567511344323733353",
"265609344695144016219294555947016162041",
"124628339465447721921436693716812178493",
"202098285846879798560260004184168114185",
"317574938519314951594194024497793540934",
"222622582677497198448134633418082802652",
"227407457557667411114263333351664971699",
"263445753234790440519555458791594960196",
"79643603571293372617771188262336808962",
"133551431134571711689882278001201342719",
"189038708384935351467093655861290606978",
"264707452815564459723863158918998969299",
"296663462597268782789817466616243199580",
"321470405135019013758028420887381440428",
"278580800879945964184736854789460149649",
"292435380686846365057846686694167730292",
"300665136677648553302808514432494120759",
"252929415023036646020367008378826493602",
"64969581301086708041435904955757696159",
"247352809636236059307492204582977055689",
"4161648615289802497480829004361892131",
"217827295154713567836068753119515619668",
"88159725227002844973915368948107485029",
"52958465392509675265566931825397685331",
"88962489015985515510636668414535765554",
"234536612626884567420604869190077353987",
"88867406636929878707253180960596894036",
"200571846446911592936136467056715320818",
"221254239457423867827814348931498450136",
"324390724030002423708734665866951395124",
"50097596399256950246523093498688128788",
"264014794028486841683621206282467267355",
"315760537970361517307153248715255708883",
"124668460391102946918732570460546328383",
"305577323550441914427055549752688962858",
"114266163361757035612495942377662071156",
"34633930896986754673691812902028396132",
"87749075462671987943711226963478135785",
"195188504002927936240208002758373158077",
"246047843040645353940952857354345591909",
"28870352580081541927987920399548694603",
"176491968885978734702317463871214395691",
"230157463108787044888712190964570237476",
"187986498413229158112824585898033769217",
"283882219053242831903424889525303880018",
"101563671423118322310982248625110876340",
"294559474389998078347994108277610964338",
"160787560728369943358335398269616946279",
"89500319284740935860256150938796045135",
"14022030013499478344248191163564584180",
"302423027424073294199673625747837205995",
"56334364092681054725890387412929045056",
"252543323740694808682174612913122121834",
"58541277117774831013325813237292164536",
"88931515661337248871618778334713114446",
"257518461882859506090422280614135586654"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2017-1000487-5c55f3e1",
"deprecated": false,
"digest": {
"length": 308.0,
"function_hash": "181137959711395017815591555864093111648"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-67188aa2",
"deprecated": false,
"digest": {
"length": 307.0,
"function_hash": "92675178776976754492282614409127377887"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java",
"function": "unifyQuotes"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-79c0011e",
"deprecated": false,
"digest": {
"length": 383.0,
"function_hash": "219867694814017295110422838675296531315"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testEscapeSingleQuotesOnArgument"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-87180b97",
"deprecated": false,
"digest": {
"length": 314.0,
"function_hash": "261439550396805882879773841117531602714"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-87698c46",
"deprecated": false,
"digest": {
"length": 336.0,
"function_hash": "39888439016711569929783680222733213029"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testPreserveSingleQuotesOnArgument"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-8dc16ff6",
"deprecated": false,
"digest": {
"length": 276.0,
"function_hash": "121385083734232142650913729562102626261"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testQuoteWorkingDirectoryAndExecutable"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-a213c13f",
"deprecated": false,
"digest": {
"length": 244.0,
"function_hash": "257230636659740514664364397903802204766"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java",
"function": "getExecutionPreamble"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-a9549b5e",
"deprecated": false,
"digest": {
"length": 1659.0,
"function_hash": "136125616696534645561670474947206549409"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java",
"function": "testArgumentsWithsemicolon"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-aff42aae",
"deprecated": false,
"digest": {
"length": 215.0,
"function_hash": "9153802260345320861497841110850026482"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java",
"function": "BourneShell"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-b952758e",
"deprecated": false,
"digest": {
"length": 58.0,
"function_hash": "75358319420489652393163783191345485342"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java",
"function": "getQuotingTriggerChars"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-c07096fb",
"deprecated": false,
"digest": {
"length": 482.0,
"function_hash": "317272256612478435240080772913426579029"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java",
"function": "testGetShellCommandLineBash"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-c8a983ec",
"deprecated": false,
"digest": {
"length": 144.0,
"function_hash": "297178032715849235338500915384919426614"
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java",
"function": "getExecutable"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-cfbc8070",
"deprecated": false,
"digest": {
"length": 461.0,
"function_hash": "53024081119851549233676211467412891619"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java",
"function": "testGetShellCommandLineNonWindows"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-e56ec263",
"deprecated": false,
"digest": {
"length": 707.0,
"function_hash": "237761059037293327751043380171331937986"
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java",
"function": "testGetShellCommandLineBash_WithWorkingDirectory"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Function"
},
{
"id": "CVE-2017-1000487-ef50bde9",
"deprecated": false,
"digest": {
"line_hashes": [
"73418873428302441374177646890355577869",
"57266909541799630018866597338082343802",
"318315335801254346973450094711558640023",
"317378028518907049806041994282899163733",
"175531185513350794635257374928085480176",
"139264851717853355019077123984433863365",
"91479366894932914392012547034897037121",
"56628859053799990713071325983993412983",
"50529792302659605621452559755036302458",
"283976464617879629313904461508848914446",
"282664154675371791074147675909352244929",
"32183579857115523624518279653053301660",
"73503990986934677094942991821757570732",
"81519144438650632884613885670521507634",
"213633340242259351405366778735720055172",
"272059123195882165076211353043068918357",
"36505412154309488698193833151107027160",
"109133572645371761863651026145671732495",
"62986099643433235889972260790302474600",
"2003555741771625836288345993048152289",
"15922483174394253743275880889753950052",
"234580555394680681238718026865960766555",
"101186697661108654923902993114345537766",
"67875735245883209661040772520149008619",
"111141823950652245238969923548605947719",
"73503990986934677094942991821757570732",
"81519144438650632884613885670521507634",
"213633340242259351405366778735720055172",
"272059123195882165076211353043068918357",
"209741697878707984437675678736286603853",
"258473931518378979008690327388574981736",
"172405330183254021916062721618404456563",
"289056208136368842629616218835441349198",
"237953593464089445925778342874274232292",
"145134041580868375876888439974341278775",
"177469010587301985815447372955564735453"
],
"threshold": 0.9
},
"target": {
"file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Line"
},
{
"id": "CVE-2017-1000487-f2b5d73c",
"deprecated": false,
"digest": {
"line_hashes": [
"266859971200631060262410459272496769207",
"202593301643469909774897831866107501359",
"226005623609645231658021846094360623122",
"292073258209220137477996965927713261662",
"254767192141294655730149752796810599866",
"67194464445949198426624902135840936847",
"214396385150867048422766434938892347773",
"241639555163956758669108559826074661545",
"202836845331417486405662202995539153442",
"74769573316591642488132119187431043039",
"119737172254403106129538057766564326896",
"7621239835065017102227964743327275045",
"129295652173545603771365016297869472820",
"1510551636711105857490738827130099490",
"6308229061052415003262407583118681451",
"171352351284800138696505562389847368848",
"272542945632502406295291993446177634082",
"151342402124700578469368709215935200165",
"20853912734730859529560434274831482897",
"59410345820749439060616568324118398733",
"284876336450936053766225570635289965194",
"340087710340397193355970107954204177379",
"39368601701278564365235301328721609562"
],
"threshold": 0.9
},
"target": {
"file": "src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java"
},
"source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41",
"signature_version": "v1",
"signature_type": "Line"
}
]