CVE-2023-34112 - Vulnerability Details - OpenCVE

JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Bytedeco	Javacpp Presets

Configuration 1 [-]

cpe:2.3:a:bytedeco:javacpp_presets:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x
https://securitylab.github.com/research/github-actions-untrusted-input/

History

Mon, 06 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-06-08T23:05:36.423Z

Updated: 2025-01-06T19:43:42.532Z

Reserved: 2023-05-25T21:56:51.247Z

Link: CVE-2023-34112

Vulnrichment

Updated: 2024-08-02T16:01:53.221Z

NVD

Status : Modified

Published: 2023-06-09T00:15:10.447

Modified: 2024-11-21T08:06:34.450

Link: CVE-2023-34112

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-34112", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-05-25T21:56:51.247Z", "datePublished": "2023-06-08T23:05:36.423Z", "dateUpdated": "2025-01-06T19:43:42.532Z"}, "containers": {"cna": {"title": "JavaCPP project actions vulnerable to code injection ", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x"}, {"name": "https://securitylab.github.com/research/github-actions-untrusted-input/", "tags": ["x_refsource_MISC"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input/"}], "affected": [{"vendor": "bytedeco", "product": "javacpp-presets", "versions": [{"version": "< 1.5.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-08T23:05:36.423Z"}, "descriptions": [{"lang": "en", "value": "JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message\u200b` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution."}], "source": {"advisory": "GHSA-36rx-hq22-jm5x", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:53.221Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x"}, {"name": "https://securitylab.github.com/research/github-actions-untrusted-input/", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-06T19:43:33.838979Z", "id": "CVE-2023-34112", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T19:43:42.532Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "name": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://securitylab.github.com/research/github-actions-untrusted-input/", "name": "https://securitylab.github.com/research/github-actions-untrusted-input/", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T16:01:53.221Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-34112", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-06T19:43:33.838979Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-06T19:43:39.082Z"}}], "cna": {"title": "JavaCPP project actions vulnerable to code injection ", "source": {"advisory": "GHSA-36rx-hq22-jm5x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "bytedeco", "product": "javacpp-presets", "versions": [{"status": "affected", "version": "< 1.5.9"}]}], "references": [{"url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "name": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://securitylab.github.com/research/github-actions-untrusted-input/", "name": "https://securitylab.github.com/research/github-actions-untrusted-input/", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message\u200b` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-06-08T23:05:36.423Z"}}}, "cveMetadata": {"cveId": "CVE-2023-34112", "state": "PUBLISHED", "dateUpdated": "2025-01-06T19:43:42.532Z", "dateReserved": "2023-05-25T21:56:51.247Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2023-06-08T23:05:36.423Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bytedeco:javacpp_presets:*:*:*:*:*:*:*:*", "matchCriteriaId": "4B96479B-4F8E-4DE4-A178-377F9D303318", "versionEndExcluding": "1.5.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message\u200b` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution."}, {"lang": "es", "value": "JavaCPP Presets es un proyecto que proporciona distribuciones Java de librer\u00edas C++ nativas. Todas las acciones en el \"bytedeco/javacpp-presets\" utilizan el par\u00e1metro \"github.event.head_commit.message?\" de forma insegura. Por ejemplo, el mensaje de confirmaci\u00f3n se utiliza en una sentencia de ejecuci\u00f3n, lo que resulta en una vulnerabilidad de inyecci\u00f3n de comandos debido a la interpolaci\u00f3n de cadenas. No se ha informado de ninguna explotaci\u00f3n. Este problema se ha solucionado en la versi\u00f3n 1.5.9. Se recomienda a los usuarios de JavaCPP Presets que actualicen como medida de precauci\u00f3n. "}], "id": "CVE-2023-34112", "lastModified": "2024-11-21T08:06:34.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-06-09T00:15:10.447", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jm5x"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/research/github-actions-untrusted-input/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-advisories@github.com", "type": "Secondary"}]}