Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "300799970982068015982431037008041195086", "104676368707797886347384246451253523428", "162346545987340120690720711533396833634", "67598624732669161930637271996319015448", "207745034413981090703372942108334909329", "200989870876524342534428753293969201746", "140351054116545176855270093950742554258", "216858197118834227521071144975071977065", "67661911869677207178233261896575301568", "305820704747279464979485562232562154954", "319544270405357518845780270084338555247", "173099726432875169567666693757411034115", "285475526510075422052788660232655247777", "192060110213693258689441169939565831557", "99189173883135506272230103145987586947", "24934156606211279344995154497674790516", "54406988797198545216355706718551458339", "7717133447410990880821574672260862477", "286627158450329675767002972682036764416", "217107724011426553366081138219920659428", "22132108982777781368150828813772176429", "305325230576796526419679502293788705604", "46484743183609010269019381491570960566", "336290306340757305620549721204299277864", "39144991994285324332998631062327778325", "215948012795257716838605863262704722315", "221733053921728608672842611073437964976", "125077954493002993460738224621212032030", "31132798232780144061992833484444962026", "333178855125170181232599168362445363997", "231857808611946931778050423570965868491", "83851115173377586090612255287583890797", "162250303065076345261209492967712625715", "264751428289959259740596146253211352803", "15827968120897778693992378133578887381", "248280553452405849085166451402542214356", "306296295192740195911351040919143857613", "134719570181542193618263823151111295437", "222528643462955454669631882567314972746", "253646862163839839850827744536057064692", "216451383950582534538977614945257698392", "43552458198366550128089465039349862823", "302640542209010748092284586731033209246", "308858535711491574819492266531964542997" ] }, "id": "CVE-2017-1000487-02fb605b", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Line", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/Commandline.java" }, "deprecated": false }, { "digest": { "function_hash": "245328568726289761535579372425817308010", "length": 868.0 }, "id": "CVE-2017-1000487-2563cf2f", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java", "function": "getRawCommandLine" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "279318192494055280893864218865251420718", "10885823087519446278830464154190954428", "339637272527835449592538332722503032483", "315341723640956645557047926618482323876", "11020193414079140304210406700743936311", "15248381420429985469351059600632181081", "69770402220552774331030142290272573282", "182876066750053336804266707895898638834", "175520929032102173996312984351110011285", "236557089223711662977294659461117831717", "61792606937303249130203737506050334912", "143517943469409887434271931290580296871", "254274144236442360004152979803939331552", "98275859908661230726342158759884345443", "100919086091100649668389946948189332540", "48101020662085164544104040221404613114", "319067707487987508848485175619250365847", "287959877349089530942877573757282162633", "94781417977212615898780281351549754304", "32245080349303680897547383509784681707", "167381137560759913773544447093179373907", "204778344005468556975933891282171460392", "118399976537918844451770361318630942758", "225479027823873198693388548368672540232", "177507711899775162265388380544713547463", "131525387911331961278352187004043909631", "242300683975749043600876242348747130671", "205732003330485726840487497172040002438", "229386760563428956916270966371945231783", "116079380353084399668749993807168146370", "242300683975749043600876242348747130671", "183679823968295882621379682585654302187", "5801842194203685961815971014576406082", "197693002550403722870652616728087716652", "179669615772033602463600740091432627860", "188996999043343786163141981004460679325", "57624416196709235973054567144272631285", "282506764841889541995609711624856018110" ] }, "id": "CVE-2017-1000487-25f1cd38", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Line", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java" }, "deprecated": false }, { "digest": { "function_hash": "168614751941132427320005685092623568012", "length": 662.0 }, "id": "CVE-2017-1000487-365f05ce", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/Commandline.java", "function": "execute" }, "deprecated": false }, { "digest": { "function_hash": "84865574263062004234128658204635859208", "length": 1191.0 }, "id": "CVE-2017-1000487-4c0e2f75", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testBourneShellQuotingCharacters" }, "deprecated": false }, { "digest": { "function_hash": "125637259555581299840097572896638717728", "length": 486.0 }, "id": "CVE-2017-1000487-4e454f42", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java", "function": "testGetShellCommandLineBash_WithSingleQuotedArg" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "24747907030602044412412141753936611263", "29738323904320518379567511344323733353", "265609344695144016219294555947016162041", "124628339465447721921436693716812178493", "202098285846879798560260004184168114185", "317574938519314951594194024497793540934", "222622582677497198448134633418082802652", "227407457557667411114263333351664971699", "263445753234790440519555458791594960196", "79643603571293372617771188262336808962", "133551431134571711689882278001201342719", "189038708384935351467093655861290606978", "264707452815564459723863158918998969299", "296663462597268782789817466616243199580", "321470405135019013758028420887381440428", "278580800879945964184736854789460149649", "292435380686846365057846686694167730292", "300665136677648553302808514432494120759", "252929415023036646020367008378826493602", "64969581301086708041435904955757696159", "247352809636236059307492204582977055689", "4161648615289802497480829004361892131", "217827295154713567836068753119515619668", "88159725227002844973915368948107485029", "52958465392509675265566931825397685331", "88962489015985515510636668414535765554", "234536612626884567420604869190077353987", "88867406636929878707253180960596894036", "200571846446911592936136467056715320818", "221254239457423867827814348931498450136", "324390724030002423708734665866951395124", "50097596399256950246523093498688128788", "264014794028486841683621206282467267355", "315760537970361517307153248715255708883", "124668460391102946918732570460546328383", "305577323550441914427055549752688962858", "114266163361757035612495942377662071156", "34633930896986754673691812902028396132", "87749075462671987943711226963478135785", "195188504002927936240208002758373158077", "246047843040645353940952857354345591909", "28870352580081541927987920399548694603", "176491968885978734702317463871214395691", "230157463108787044888712190964570237476", "187986498413229158112824585898033769217", "283882219053242831903424889525303880018", "101563671423118322310982248625110876340", "294559474389998078347994108277610964338", "160787560728369943358335398269616946279", "89500319284740935860256150938796045135", "14022030013499478344248191163564584180", "302423027424073294199673625747837205995", "56334364092681054725890387412929045056", "252543323740694808682174612913122121834", "58541277117774831013325813237292164536", "88931515661337248871618778334713114446", "257518461882859506090422280614135586654" ] }, "id": "CVE-2017-1000487-50ddf289", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Line", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java" }, "deprecated": false }, { "digest": { "function_hash": "181137959711395017815591555864093111648", "length": 308.0 }, "id": "CVE-2017-1000487-5c55f3e1", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes" }, "deprecated": false }, { "digest": { "function_hash": "92675178776976754492282614409127377887", "length": 307.0 }, "id": "CVE-2017-1000487-67188aa2", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java", "function": "unifyQuotes" }, "deprecated": false }, { "digest": { "function_hash": "219867694814017295110422838675296531315", "length": 383.0 }, "id": "CVE-2017-1000487-79c0011e", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testEscapeSingleQuotesOnArgument" }, "deprecated": false }, { "digest": { "function_hash": "261439550396805882879773841117531602714", "length": 314.0 }, "id": "CVE-2017-1000487-87180b97", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testQuoteWorkingDirectoryAndExecutable_WDPathWithSingleQuotes_BackslashFileSep" }, "deprecated": false }, { "digest": { "function_hash": "39888439016711569929783680222733213029", "length": 336.0 }, "id": "CVE-2017-1000487-87698c46", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testPreserveSingleQuotesOnArgument" }, "deprecated": false }, { "digest": { "function_hash": "121385083734232142650913729562102626261", "length": 276.0 }, "id": "CVE-2017-1000487-8dc16ff6", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testQuoteWorkingDirectoryAndExecutable" }, "deprecated": false }, { "digest": { "function_hash": "257230636659740514664364397903802204766", "length": 244.0 }, "id": "CVE-2017-1000487-a213c13f", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java", "function": "getExecutionPreamble" }, "deprecated": false }, { "digest": { "function_hash": "136125616696534645561670474947206549409", "length": 1659.0 }, "id": "CVE-2017-1000487-a9549b5e", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/shell/BourneShellTest.java", "function": "testArgumentsWithsemicolon" }, "deprecated": false }, { "digest": { "function_hash": "9153802260345320861497841110850026482", "length": 215.0 }, "id": "CVE-2017-1000487-aff42aae", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java", "function": "BourneShell" }, "deprecated": false }, { "digest": { "function_hash": "75358319420489652393163783191345485342", "length": 58.0 }, "id": "CVE-2017-1000487-b952758e", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java", "function": "getQuotingTriggerChars" }, "deprecated": false }, { "digest": { "function_hash": "317272256612478435240080772913426579029", "length": 482.0 }, "id": "CVE-2017-1000487-c07096fb", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java", "function": "testGetShellCommandLineBash" }, "deprecated": false }, { "digest": { "function_hash": "297178032715849235338500915384919426614", "length": 144.0 }, "id": "CVE-2017-1000487-c8a983ec", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/BourneShell.java", "function": "getExecutable" }, "deprecated": false }, { "digest": { "function_hash": "53024081119851549233676211467412891619", "length": 461.0 }, "id": "CVE-2017-1000487-cfbc8070", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java", "function": "testGetShellCommandLineNonWindows" }, "deprecated": false }, { "digest": { "function_hash": "237761059037293327751043380171331937986", "length": 707.0 }, "id": "CVE-2017-1000487-e56ec263", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Function", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java", "function": "testGetShellCommandLineBash_WithWorkingDirectory" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "73418873428302441374177646890355577869", "57266909541799630018866597338082343802", "318315335801254346973450094711558640023", "317378028518907049806041994282899163733", "175531185513350794635257374928085480176", "139264851717853355019077123984433863365", "91479366894932914392012547034897037121", "56628859053799990713071325983993412983", "50529792302659605621452559755036302458", "283976464617879629313904461508848914446", "282664154675371791074147675909352244929", "32183579857115523624518279653053301660", "73503990986934677094942991821757570732", "81519144438650632884613885670521507634", "213633340242259351405366778735720055172", "272059123195882165076211353043068918357", "36505412154309488698193833151107027160", "109133572645371761863651026145671732495", "62986099643433235889972260790302474600", "2003555741771625836288345993048152289", "15922483174394253743275880889753950052", "234580555394680681238718026865960766555", "101186697661108654923902993114345537766", "67875735245883209661040772520149008619", "111141823950652245238969923548605947719", "73503990986934677094942991821757570732", "81519144438650632884613885670521507634", "213633340242259351405366778735720055172", "272059123195882165076211353043068918357", "209741697878707984437675678736286603853", "258473931518378979008690327388574981736", "172405330183254021916062721618404456563", "289056208136368842629616218835441349198", "237953593464089445925778342874274232292", "145134041580868375876888439974341278775", "177469010587301985815447372955564735453" ] }, "id": "CVE-2017-1000487-ef50bde9", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Line", "signature_version": "v1", "target": { "file": "src/test/java/org/codehaus/plexus/util/cli/CommandlineTest.java" }, "deprecated": false }, { "digest": { "threshold": 0.9, "line_hashes": [ "266859971200631060262410459272496769207", "202593301643469909774897831866107501359", "226005623609645231658021846094360623122", "292073258209220137477996965927713261662", "254767192141294655730149752796810599866", "67194464445949198426624902135840936847", "214396385150867048422766434938892347773", "241639555163956758669108559826074661545", "202836845331417486405662202995539153442", "74769573316591642488132119187431043039", "119737172254403106129538057766564326896", "7621239835065017102227964743327275045", "129295652173545603771365016297869472820", "1510551636711105857490738827130099490", "6308229061052415003262407583118681451", "171352351284800138696505562389847368848", "272542945632502406295291993446177634082", "151342402124700578469368709215935200165", "20853912734730859529560434274831482897", "59410345820749439060616568324118398733", "284876336450936053766225570635289965194", "340087710340397193355970107954204177379", "39368601701278564365235301328721609562" ] }, "id": "CVE-2017-1000487-f2b5d73c", "source": "https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41", "signature_type": "Line", "signature_version": "v1", "target": { "file": "src/main/java/org/codehaus/plexus/util/cli/shell/Shell.java" }, "deprecated": false } ] }