CVE-2022-39243 : NUPROCESS UP TO 2.0.4 COMMAND LINE ARGUMENT JAVA_JAVA_LANG_UNIXPROCESS_FORKANDEXEC COMMAND INJECTION

Description

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM’s Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java’s ProcessBuilder isn’t vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

References

https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7

https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868

https://github.com/brettwooldridge/NuProcess/pull/143

For More Information

MITRE

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2022-45884 : LINUX KERNEL UP TO 6.0.9 DVBDEV.C DVB_REGISTER_DEVICE USE AFTER FREE

CVE-2022-45884 : LINUX KERNEL UP TO 6.0.9 DVBDEV.C DVB_REGISTER_DEVICE USE AFTER FREE

Description An issue was discovered in the Linux kernel through 6.0.9. drivers/media/dvb-core/dvbdev.c has a use-after-free, related to dvb_register_device dynamically allocating

CVE-2022-41875 : OPTICA UP TO 0.10.1 JSON OJ.SAFE_LOAD DESERIALIZATION

CVE-2022-41875 : OPTICA UP TO 0.10.1 JSON OJ.SAFE_LOAD DESERIALIZATION

Description A remote code execution (RCE) vulnerability in Optica allows unauthenticated attackers to execute arbitrary code via specially crafted JSON

CVE-2022-3910 : LINUX KERNEL LOCAL PRIVILEGE IO_URING USE AFTER FREE

CVE-2022-3910 : LINUX KERNEL LOCAL PRIVILEGE IO_URING USE AFTER FREE

Description Use After Free vulnerability in Linux Kernel allows Privilege Escalation. An improper Update of Reference Count in io_uring leads