CVE-2017-1000487
Command Injection vulnerability in org.codehaus.plexus:plexus-utils
What is CVE-2017-1000487 About?
Plexus-utils before 3.0.16 is susceptible to command injection due to improper handling of double-quoted strings. This flaw allows an attacker to execute arbitrary commands by injecting malicious code within specially crafted input. Exploitation is relatively straightforward if an attacker can control relevant input.
Affected Software
Technical Details
The vulnerability in Plexus-utils versions prior to 3.0.16 arises from its incorrect processing of double-quoted strings in scenarios where commands are constructed or executed. Specifically, the utility fails to properly escape or sanitize special characters within these strings when they are interpreted as part of a shell command or similar execution context. An attacker can inject command-line meta-characters (e.g., semicolons, backticks, dollar signs) within a double-quoted string that is then passed to a function that executes system commands. This allows the attacker to break out of the intended command structure and inject arbitrary commands, which the system will then execute with the privileges of the affected application.
What is the Impact of CVE-2017-1000487?
Successful exploitation may allow attackers to execute arbitrary operating system commands on the underlying host, which can lead to full system compromise, data exfiltration, or denial of service.
What is the Exploitability of CVE-2017-1000487?
Exploitation complexity is moderate, requiring an attacker to be able to supply malformed double-quoted strings to an application utilizing Plexus-utils. No authentication or specific privileges are typically required for the initial injection, although the impact depends on the privileges of the vulnerable application. This is likely a remote vulnerability if the application accepts untrusted input that is then processed by Plexus-utils. The main constraint is identifying an input point where crafted strings are processed by command execution functions. Risk factors that increase exploitation likelihood include applications that construct system commands using user-controlled input without proper sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| shoucheng3 | Link | PoC for CVE-2017-1000487 |
What are the Available Fixes for CVE-2017-1000487?
Available Upgrade Options
- org.codehaus.plexus:plexus-utils
- <3.0.16 → Upgrade to 3.0.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf@%3Ccommits.pulsar.apache.org%3E
- https://access.redhat.com/errata/RHSA-2018:1322
- https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html
- https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E
- https://www.debian.org/security/2018/dsa-4149
- https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E
- https://www.debian.org/security/2018/dsa-4149
What are Similar Vulnerabilities to CVE-2017-1000487?
Similar Vulnerabilities: CVE-2014-0414 , CVE-2018-7667 , CVE-2019-1002100 , CVE-2021-36746 , CVE-2022-26134
