Closed mend-for-github-com[bot] closed 3 years ago
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: test-samples/samples/testing-frameworks/appium/server-side/image-recognition/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.6/plexus-utils-2.0.6.jar
Dependency Hierarchy: - maven-artifact-3.0.3.jar (Root Library) - :x: **plexus-utils-2.0.6.jar** (Vulnerable Library)
Found in HEAD commit: 12af4f854b64888df6e4492ecc94e141388e939a
Found in base branch: master
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
CVE-2017-1000487 - High Severity Vulnerability
Vulnerable Library - plexus-utils-2.0.6.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: test-samples/samples/testing-frameworks/appium/server-side/image-recognition/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/2.0.6/plexus-utils-2.0.6.jar
Dependency Hierarchy: - maven-artifact-3.0.3.jar (Root Library) - :x: **plexus-utils-2.0.6.jar** (Vulnerable Library)
Found in HEAD commit: 12af4f854b64888df6e4492ecc94e141388e939a
Found in base branch: master
Vulnerability Details
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16