CVE-2022-39243

2022-09-2614:15:10

Google

osv.dev

cve-2022-39243

nuprocess

command injection

nul characters

java

linux

patch

process execution

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.0%

JSON

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

CPENameOperatorVersion
nuprocesseqnuprocess-1.2.3
nuprocesseqnuprocess-0.9.7
nuprocesseqnuprocess-0.9.5
nuprocesseqnuprocess-1.0.2
nuprocesseqnuprocess-1.1.2
nuprocesseqnuprocess-1.1.0
nuprocesseqnuprocess-1.2.6
nuprocesseqnuprocess-2.0.2
nuprocesseqnuprocess-2.0.0
nuprocesseqnuprocess-1.1.1

Name	Operator	Version
nuprocess	eq	nuprocess-1.2.3
nuprocess	eq	nuprocess-0.9.7
nuprocess	eq	nuprocess-0.9.5
nuprocess	eq	nuprocess-1.0.2
nuprocess	eq	nuprocess-1.1.2
nuprocess	eq	nuprocess-1.1.0
nuprocess	eq	nuprocess-1.2.6
nuprocess	eq	nuprocess-2.0.2
nuprocess	eq	nuprocess-2.0.0
nuprocess	eq	nuprocess-1.1.1