CVE-2022-29599

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

Database specific

{
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-116"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/29xxx/CVE-2022-29599.json"
}

References

Affected packages

Git / github.com/apache/maven-shared-utils

Affected ranges

Type

GIT

Repo

https://github.com/apache/maven-shared-utils

Events

Introduced

Fixed

cc010396156386d95e2acbc28f7aba32590243a2

Database specific

{
    "cpe": "cpe:2.3:a:apache:maven_shared_utils:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "extracted_events": [
        {
            "introduced": "maven-shared-utils"
        },
        {
            "fixed": "3.3.3"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "3.3.3"
        }
    ]
}

Affected versions

maven-shared-utils-0.*

maven-shared-utils-0.1

maven-shared-utils-0.2

maven-shared-utils-0.3

maven-shared-utils-0.4

maven-shared-utils-0.5

maven-shared-utils-0.6

maven-shared-utils-0.7

maven-shared-utils-0.8

maven-shared-utils-0.9

maven-shared-utils-3.*

maven-shared-utils-3.0.0

maven-shared-utils-3.0.1

maven-shared-utils-3.1.0

maven-shared-utils-3.2.0

maven-shared-utils-3.2.1

maven-shared-utils-3.3.0

maven-shared-utils-3.3.1

maven-shared-utils-3.3.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-29599.json"