CVE-2023-34112

Published: Jun 9, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution.

Affected (1)

Products: Bytedeco: Javacpp Presets

1 product

Javacpp Presets

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bytedeco Javacpp Presets	Before 1.5.9

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (4)

https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x

Source: security-advisories@github.com

Vendor Advisory

https://securitylab.github.com/research/github-actions-untrusted-input/

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://securitylab.github.com/research/github-actions-untrusted-input/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.