CVE-2022-29546
Malware vulnerability in neko-htmlunit (Maven)
What is CVE-2022-29546 About?
This vulnerability is classified as malware, indicating that any system with this package installed should be considered fully compromised. It leads to complete system compromise and loss of all secrets and keys. Exploitation is inherent upon installation of the malicious package.
Affected Software
Technical Details
The GHSA-g26r-7xc6-5q27 entry describes a malicious package. Installation or execution of this package immediately compromises the host system. This implies that the package likely includes malicious code designed to establish persistence, exfiltrate sensitive information like secrets and keys, and potentially give an external entity full control over the compromised machine. The threat model suggests that the malicious software integrates deeply into the system, making simple removal of the package insufficient to guarantee remediation due to potential residual malware or backdoors.
What is the Impact of CVE-2022-29546?
Successful exploitation may allow attackers to gain full control over the compromised system, exfiltrate all stored secrets and keys, and establish persistent access, leading to complete data compromise and potentially further attacks.
What is the Exploitability of CVE-2022-29546?
Exploitation of this malware is straightforward, as it occurs upon the installation or execution of the malicious package itself. There are generally no specific prerequisites beyond the user or automated system triggering the installation. No authentication or elevated privileges are typically required once the package is executed, as the malware typically functions to escalate privileges or bypass security mechanisms. This can be a local or remote attack depending on how the package is delivered and executed. The risk factors for exploitation include downloading packages from untrusted sources, automated build systems pulling untrusted dependencies, or a compromised supply chain.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-29546?
Available Upgrade Options
- net.sourceforge.htmlunit:neko-htmlunit
- <2.61.0 → Upgrade to 2.61.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc
- https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg
- https://github.com/HtmlUnit/htmlunit-neko
- https://nvd.nist.gov/vuln/detail/CVE-2022-29546
- https://osv.dev/vulnerability/GHSA-6jmm-mp6w-4rrg
- https://github.com/HtmlUnit/htmlunit-neko/security/advisories/GHSA-6jmm-mp6w-4rrg
What are Similar Vulnerabilities to CVE-2022-29546?
Similar Vulnerabilities: GHSA-x6j8-xf5w-52f2 , GHSA-vr6r-cg59-pq2h , GHSA-87f5-2m3h-p5h8 , GHSA-wpg3-f47w-w763 , GHSA-56cw-5wvp-hmqj
