Homepage
About Snyk

org.apache.maven.shared:maven-shared-utils@3.2.1 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.maven.shared:maven-shared-utils package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Command Injection

org.apache.maven.shared:maven-shared-utils is a functional replacement for plexus-utils in Maven.

Affected versions of this package are vulnerable to Command Injection. The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks. The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.

This is a similar issue to SNYK-JAVA-ORGCODEHAUSPLEXUS-31522

How to fix Command Injection?

Upgrade org.apache.maven.shared:maven-shared-utils to version 3.3.3 or higher.

[,3.3.3)
Go back to all versions of this package