Commandline class shell injection vulnerabilities
Description
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Maven maven-shared-utils Commandline class fails to escape double-quoted strings, enabling shell injection attacks.
Vulnerability
The Commandline class in Apache Maven maven-shared-utils prior to version 3.3.3 does not properly escape double-quoted strings when constructing shell commands. This allows an attacker to inject arbitrary shell commands. The vulnerability is tracked as MSHARED-297 [1][2][4].
Exploitation
An attacker can exploit this by providing a crafted argument that contains double quotes and shell metacharacters. When the Commandline class builds a command string, it emits double-quoted arguments without escaping internal quotes, allowing the attacker to break out of the quoting and inject additional commands. No special privileges are required beyond the ability to supply input to a Maven build that uses the vulnerable class [1][2].
Impact
Successful exploitation leads to arbitrary shell command execution with the privileges of the Maven process. This can result in full compromise of the build environment, including data exfiltration, installation of malware, or lateral movement [1][4].
Mitigation
The fix is included in maven-shared-utils version 3.3.3, released on 2022-05-23. Users should upgrade to version 3.3.3 or later. The fix unconditionally single-quotes executable and arguments to prevent injection [2][4]. No workaround is available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.maven.shared:maven-shared-utilsMaven | < 3.3.3 | 3.3.3 |
Affected products
52- ghsa-coords51 versionspkg:maven/org.apache.maven.shared/maven-shared-utilspkg:rpm/almalinux/aopalliancepkg:rpm/almalinux/apache-commons-clipkg:rpm/almalinux/apache-commons-codecpkg:rpm/almalinux/apache-commons-iopkg:rpm/almalinux/apache-commons-lang3pkg:rpm/almalinux/apache-commons-loggingpkg:rpm/almalinux/atinjectpkg:rpm/almalinux/cdi-apipkg:rpm/almalinux/geronimo-annotationpkg:rpm/almalinux/glassfish-el-apipkg:rpm/almalinux/google-guicepkg:rpm/almalinux/guavapkg:rpm/almalinux/guava20pkg:rpm/almalinux/hawtjni-runtimepkg:rpm/almalinux/httpcomponents-clientpkg:rpm/almalinux/httpcomponents-corepkg:rpm/almalinux/jansipkg:rpm/almalinux/jansi-nativepkg:rpm/almalinux/jboss-interceptors-1.2-apipkg:rpm/almalinux/jcl-over-slf4jpkg:rpm/almalinux/jsouppkg:rpm/almalinux/jsr-305pkg:rpm/almalinux/mavenpkg:rpm/almalinux/maven-libpkg:rpm/almalinux/maven-openjdk11pkg:rpm/almalinux/maven-openjdk17pkg:rpm/almalinux/maven-openjdk8pkg:rpm/almalinux/maven-resolverpkg:rpm/almalinux/maven-resolver-apipkg:rpm/almalinux/maven-resolver-connector-basicpkg:rpm/almalinux/maven-resolver-implpkg:rpm/almalinux/maven-resolver-spipkg:rpm/almalinux/maven-resolver-transport-wagonpkg:rpm/almalinux/maven-resolver-utilpkg:rpm/almalinux/maven-shared-utilspkg:rpm/almalinux/maven-wagonpkg:rpm/almalinux/maven-wagon-filepkg:rpm/almalinux/maven-wagon-httppkg:rpm/almalinux/maven-wagon-http-sharedpkg:rpm/almalinux/maven-wagon-provider-apipkg:rpm/almalinux/plexus-cipherpkg:rpm/almalinux/plexus-classworldspkg:rpm/almalinux/plexus-containers-component-annotationspkg:rpm/almalinux/plexus-interpolationpkg:rpm/almalinux/plexus-sec-dispatcherpkg:rpm/almalinux/plexus-utilspkg:rpm/almalinux/sisupkg:rpm/almalinux/sisu-injectpkg:rpm/almalinux/sisu-plexuspkg:rpm/almalinux/slf4j
< 3.3.3+ 50 more
- (no CPE)range: < 3.3.3
- (no CPE)range: < 1.0-20.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.4-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.13-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:2.6-6.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 3.9-4.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.2-13.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1-31.20100611svn86.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 2.0.1-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.0-26.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 3.0.1-0.7.b08.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 4.2.2-4.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 28.1-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 20.0-8.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.16-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 4.5.10-4.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 4.4.12-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.18-4.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.7-7.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.0.0-8.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.7.28-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.12.1-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 0-0.25.20130910svn.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:3.6.2-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:3.6.2-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:3.6.2-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:3.6.2-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:3.6.2-7.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.4.1-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:1.1.1-2.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 3.2.1-0.5.module_el8.6.0+2903+d6ca2362
- (no CPE)range: < 3.3.4-2.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 3.1.0-1.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 3.1.0-1.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 3.1.0-1.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 3.1.0-1.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.7-17.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 2.6.0-4.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 2.1.0-2.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.26-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1.4-29.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 3.3.0-3.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 0.3.4-2.module_el8.6.0+2786+d7c38b21
- (no CPE)range: < 1:0.3.3-6.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1:0.3.3-6.module_el8.6.0+2752+f1f3449e
- (no CPE)range: < 1.7.28-3.module_el8.6.0+2786+d7c38b21
- Apache Software Foundation/Apache Mavenv5Range: maven-shared-utils
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-rhgr-952r-6p8qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-29599ghsaADVISORY
- www.debian.org/security/2022/dsa-5242ghsavendor-advisoryx_refsource_DEBIANWEB
- www.openwall.com/lists/oss-security/2022/05/23/3ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/maven-shared-utils/pull/40ghsax_refsource_MISCWEB
- issues.apache.org/jira/browse/MSHARED-297ghsax_refsource_MISCWEB
- lists.debian.org/debian-lts-announce/2022/08/msg00018.htmlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.