CVE-2022-39243

2022-09-2614:15:10

CWE-77

[email protected]

web.nvd.nist.gov

nuprocess

java

vulnerability

cve-2022-39243

nul characters

command injection

security fix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.6 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.0%

JSON

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

Affected configurations

Vulners

NVD

Node

brettwooldridgenuprocessRange1.2.0–2.0.5

CPENameOperatorVersion
nuprocess_project:nuprocessnuprocess project nuprocesslt2.0.5

CPE	Name	Operator	Version
nuprocess_project:nuprocess	nuprocess project nuprocess	lt	2.0.5

CNA Affected

[
  {
    "product": "NuProcess",
    "vendor": "brettwooldridge",
    "versions": [
      {
        "status": "affected",
        "version": ">= 1.2.0, < 2.0.5"
      }
    ]
  }
]