Uploaded image for project: 'Share Application'
  1. Share Application
  2. SHA-2299

[Security Issue] plexus-utils 2.0.6

    Details

    • Type: Bug
    • Status: Done (View Workflow)
    • Resolution: Done
    • Affects Version/s: 5.2.N, 6.0.N, 6.N
    • Fix Version/s: 5.2.N, 6.0.N, 6.N
    • Component/s: None
    • Labels:
      None
    • Bug Priority:
      Category 1
    • Sprint:
      Sibelius
    • Story Points:
      3

      Description

      Found by Veracode scan (score 9.8): https://saas.whitesourcesoftware.com/Wss/WSS.html#!libraryDetails;uuid=31a4bf00-65b8-4f87-9206-5cb283bf095d;project=1013379 

       

      CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000487 

      "Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings."

       
      Dependency hierarchy ("<-" = "brings in"):

      Share <- spring-surf 6.11 <- maven-artifact 3.0.3 <- plexus-utils 2.0.6

        Attachments

          Issue Links

          Depended on by

          Story - SHA-2301 [Spike] Investigate the security issues with CVSS 3 Score >= 9.5 on Share, Surf, Webscripts and Aikau

          • Done

            Structure

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  abalmus Alexandru Balmus
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Structure Helper Panel