CVE-2022-29599: Commandline class shell injection vulnerabilities
First published: Fri May 29 2020(Updated: )
A flaw was found in the maven-shared-utils package. This issue allows a Command Injection due to improper escaping, allowing a shell injection attack.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.11.1683009941-1.el8 | 2-plugins-0:4.11.1683009941-1.el8 |
| redhat/jenkins | <2-plugins-0:4.12.1686649756-1.el8 | 2-plugins-0:4.12.1686649756-1.el8 |
| redhat/jenkins | <2-plugins-0:4.13.1686680473-1.el8 | 2-plugins-0:4.13.1686680473-1.el8 |
| redhat/maven-shared-utils | <0:0.4-4.el7_9 | 0:0.4-4.el7_9 |
| redhat/jenkins | <2-plugins-0:4.10.1670851835-1.el8 | 2-plugins-0:4.10.1670851835-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1674644684-1.el8 | 2-plugins-0:4.9.1674644684-1.el8 |
| redhat/rh-maven36-maven-shared-utils | <0:3.2.1-0.2.3.el7 | 0:3.2.1-0.2.3.el7 |
| redhat/maven-shared-utils | <3.3.3 | 3.3.3 |
| debian/maven-shared-utils | <=3.3.0-1 | 3.3.0-1+deb10u1 3.3.0-1+deb11u1 3.3.4-1 |
| ubuntu/maven-shared-utils | <3.3.0-1ubuntu0.18.04.1~ | 3.3.0-1ubuntu0.18.04.1~ |
| ubuntu/maven-shared-utils | <3.3.0-1ubuntu0.20.04.1 | 3.3.0-1ubuntu0.20.04.1 |
| ubuntu/maven-shared-utils | <3.3.0-1ubuntu0.22.04.1 | 3.3.0-1ubuntu0.22.04.1 |
| ubuntu/maven-shared-utils | <0.4-1ubuntu0.1~ | 0.4-1ubuntu0.1~ |
| ubuntu/maven-shared-utils | <0.9-1ubuntu0.1~ | 0.9-1ubuntu0.1~ |
| Apache Maven shared utils | <3.3.3 | |
| Debian GNU/Linux | =10.0 | |
| Debian GNU/Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/05/23/3
- https://github.com/apache/maven-shared-utils/pull/40
- https://issues.apache.org/jira/browse/MSHARED-297
- https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html
- https://www.debian.org/security/2022/dsa-5242
- https://security-tracker.debian.org/tracker/CVE-2022-29599
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29599
- https://github.com/apache/maven-shared-utils/commit/f751e614c09df8de1a080dc1153931f3f68991c9
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012314
- https://www.cve.org/CVERecord?id=CVE-2022-29599 https://nvd.nist.gov/vuln/detail/CVE-2022-29599
- https://bugzilla.redhat.com/show_bug.cgi?id=2066479
- https://access.redhat.com/errata/RHSA-2023:3198
- https://access.redhat.com/errata/RHSA-2023:3610
- https://access.redhat.com/errata/RHSA-2023:3622
- https://access.redhat.com/errata/RHSA-2022:1541
- https://access.redhat.com/errata/RHSA-2022:4797
- https://access.redhat.com/errata/RHSA-2022:4798
- https://access.redhat.com/errata/RHSA-2022:4699
- https://access.redhat.com/errata/RHSA-2022:9098
- https://access.redhat.com/errata/RHSA-2023:0573
- https://access.redhat.com/errata/RHSA-2022:1662
- https://access.redhat.com/security/cve/cve-2022-29599
- https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEMAVENSHARED-570592
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2066480
- https://access.redhat.com/errata/RHSA-2023:6179
- https://access.redhat.com/errata/RHSA-2023:7288
- https://access.redhat.com/errata/RHSA-2024:0776
- https://access.redhat.com/errata/RHSA-2024:0777
- https://access.redhat.com/errata/RHSA-2024:0778
- https://access.redhat.com/errata/RHSA-2024:0775
- https://launchpad.net/bugs/cve/CVE-2022-29599
- https://rhn.redhat.com/errata/RHSA-2022-1662.html
- https://ubuntu.com/security/notices/USN-6730-1
- https://www.cve.org/CVERecord?id=CVE-2022-29599
- https://nvd.nist.gov/vuln/detail/CVE-2022-29599
- https://ubuntu.com/security/CVE-2022-29599
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-29599?
CVE-2022-29599 has a high severity due to its potential for command injection vulnerabilities.
How do I fix CVE-2022-29599?
To remediate CVE-2022-29599, update the maven-shared-utils package to version 3.3.3 or later.
Which software versions are affected by CVE-2022-29599?
CVE-2022-29599 affects Apache Maven maven-shared-utils versions prior to 3.3.3 and specific versions of Jenkins plugins.
What type of attack does CVE-2022-29599 allow?
CVE-2022-29599 allows a shell injection attack due to improper escaping of double-quoted strings.
Where can I find more information about CVE-2022-29599?
For detailed technical information, you can refer to the official Apache and security mailing lists regarding CVE-2022-29599.
- collector/debian-bugs
- alias/CVE-2022-29599
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- package-manager/ubuntu
- vendor/apache
- canonical/apache maven shared utils
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/10.0
- version/debian gnu/linux/11.0