Lucene search

PRIOn knowledge basePRION:CVE-2022-39243

HistorySep 26, 2022 - 2:15 p.m.

Design/Logic Flaw

2022-09-2614:15:00

PRIOn knowledge base

www.prio-n.com

nuprocess

java

command line injection

nul characters

vulnerability

linux

version 2.0.5

patch

workaround

9.7 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.0%

JSON

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

CPENameOperatorVersion
nuprocessge1.2.0
nuprocesslt2.0.5

CPE	Name	Operator	Version
	nuprocess	ge	1.2.0
	nuprocess	lt	2.0.5

References

github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868

github.com/brettwooldridge/NuProcess/pull/143

github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7