Lucene search

GitHub_MCVELIST:CVE-2023-34112

HistoryJun 08, 2023 - 11:05 p.m.

CVE-2023-34112 JavaCPP project actions vulnerable to code injection

2023-06-0823:05:36

CWE-94

GitHub_M

www.cve.org

cve-2023-34112

javacpp

code injection

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

43.7%

JSON

JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the bytedeco/javacpp-presets use the github.event.head_commit.message parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution.

CNA Affected

[
  {
    "vendor": "bytedeco",
    "product": "javacpp-presets",
    "versions": [
      {
        "version": "< 1.5.9",
        "status": "affected"
      }
    ]
  }
]

References

github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x

securitylab.github.com/research/github-actions-untrusted-input/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

43.7%

JSON

Related for CVELIST:CVE-2023-34112