Skip to main content

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CVE-2022-39243

Severity High
Score 9.8/10

Summary

NuProcess is an external process execution implementation for Java. In versions 1.2.0 through 2.0.4 of NuProcess where it forks processes by using the JVM's "Java_java_lang_UNIXProcess_forkAndExec" method, attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • HIGH
  • HIGH

CWE-77 - Command Injection

A command injection attack involves injecting an operating system command through the data input, which gets executed on the host operating system with the privileges of the victimized application. The impact of a command injection attack may range from loss of data confidentiality and integrity to unauthorized remote access to the hosting system. The attack may cause serious data breaches and system takeover.

Advisory Timeline

  • Published