CVE-2022-39224 - Vulnerability Details - OpenCVE

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Ruby-arr-pm Project	Ruby-arr-pm

Configuration 1 [-]

cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*

No data.

References

Link	Providers
https://github.com/jordansissel/ruby-arr-pm/pull/14
https://github.com/jordansissel/ruby-arr-pm/pull/15
https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q

History

Tue, 22 Apr 2025 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-09-21T23:10:08.000Z

Updated: 2025-04-22T17:21:08.754Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39224

Vulnrichment

Updated: 2024-08-03T12:00:43.325Z

NVD

Status : Modified

Published: 2022-09-21T23:15:09.623

Modified: 2024-11-21T07:17:49.317

Link: CVE-2022-39224

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "ruby-arr-pm", "vendor": "jordansissel", "versions": [{"status": "affected", "version": "< 0.0.12"}]}], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-09-21T23:10:08.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}], "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}, "title": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm.", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2022-39224", "STATE": "PUBLIC", "TITLE": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm."}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ruby-arr-pm", "version": {"version_data": [{"version_value": "< 0.0.12"}]}}]}, "vendor_name": "jordansissel"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "refsource": "CONFIRM", "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"name": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "refsource": "MISC", "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"name": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "refsource": "MISC", "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}]}, "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.325Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T15:41:24.618264Z", "id": "CVE-2022-39224", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T17:21:08.754Z"}}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2022-39224", "datePublished": "2022-09-21T23:10:08.000Z", "dateReserved": "2022-09-02T00:00:00.000Z", "dateUpdated": "2025-04-22T17:21:08.754Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.325Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39224", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-22T15:41:24.618264Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T15:41:31.429Z"}}], "cna": {"title": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm.", "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "jordansissel", "product": "ruby-arr-pm", "versions": [{"status": "affected", "version": "< 0.0.12"}]}], "references": [{"url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-09-21T23:10:08.000Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, "source": {"advisory": "GHSA-88cv-mj24-8w3q", "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_value": "< 0.0.12"}]}, "product_name": "ruby-arr-pm"}]}, "vendor_name": "jordansissel"}]}}, "data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "name": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "refsource": "CONFIRM"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "name": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "refsource": "MISC"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "name": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-39224", "STATE": "PUBLIC", "TITLE": "Arbitrary shell execution when extracting or listing files contained in a malicious rpm.", "ASSIGNER": "security-advisories@github.com"}}}}, "cveMetadata": {"cveId": "CVE-2022-39224", "state": "PUBLISHED", "dateUpdated": "2025-04-22T17:21:08.754Z", "dateReserved": "2022-09-02T00:00:00.000Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2022-09-21T23:10:08.000Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "0DCB3286-980B-4B5B-8A8E-128C03D4B03F", "versionEndExcluding": "0.0.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}, {"lang": "es", "value": "Arr-pm es una biblioteca de lectura/escritura de RPM escrita en Ruby. Las versiones anteriores a 0.0.12 est\u00e1n sujetas a una inyecci\u00f3n de comandos del Sistema Operativo, resultando en una ejecuci\u00f3n de shell si el RPM contiene un campo \"payload compressor\" malicioso. Esta vulnerabilidad afecta a los m\u00e9todos \"extract\" y \"files\" de la clase \"RPM::File\" de esta biblioteca. La versi\u00f3n 0.0.12 parchea estos problemas. Una mitigaci\u00f3n para este problema es asegurarse de que cualquier RPM que es procedido contenga valores de compresores de carga \u00fatil v\u00e1lidos/conocidos como gzip, bzip2, xz, zstd y lzma. El campo del compresor de carga \u00fatil en un rpm puede comprobarse al usar la herramienta de l\u00ednea de comandos rpm"}], "id": "CVE-2022-39224", "lastModified": "2024-11-21T07:17:49.317", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-21T23:15:09.623", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/14"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/pull/15"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}