Vulnerability Details CVE-2017-1000487
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.176
EPSS Ranking 94.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://access.redhat.com/errata/RHSA-2018:1322
- https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html
- https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
- https://www.debian.org/security/2018/dsa-4146
- https://www.debian.org/security/2018/dsa-4149
- https://access.redhat.com/errata/RHSA-2018:1322
- https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41
- https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html
- https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522
- https://www.debian.org/security/2018/dsa-4146
- https://www.debian.org/security/2018/dsa-4149
Products affected by CVE-2017-1000487
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.1
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.2
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.3
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.4
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.5
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.6
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.7
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.8
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.4.9
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.1
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.10
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.11
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.12
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.13
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.14
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.15
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.2
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.3
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.4
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.5
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.6
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.7
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.8
-
cpe:2.3:a:codehaus-plexus:plexus-utils:1.5.9
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.0
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.1
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.2
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.3
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.4
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.5
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.0.7
-
cpe:2.3:a:codehaus-plexus:plexus-utils:2.1
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.1
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.10
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.11
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.12
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.13
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.14
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.15
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.2
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.3
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.4
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.5
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.6
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.7
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.8
-
cpe:2.3:a:codehaus-plexus:plexus-utils:3.0.9
-
cpe:2.3:o:debian:debian_linux:7.0
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:debian:debian_linux:9.0