Since version 3.9, MAVEN support MAVEN_ARGS env variable as parameter.
In addition to that, you can run (and download) any (approved) plugin without editing the pom.xml
For instance
mvn ninja.stealing:maven-password:0.0.4:dump
Which mean you can escalate an env injection to plugin injection, then RCE (let see with exec-maven-plugin, as in your example)
Description of the LOTP tool
MAVEN, you got it already.
ENV Configuration
Since version 3.9, MAVEN support MAVEN_ARGS env variable as parameter. In addition to that, you can run (and download) any (approved) plugin without editing the pom.xml
For instance
Which mean you can escalate an env injection to plugin injection, then RCE (let see with exec-maven-plugin, as in your example)
Documentation
https://maven.apache.org/configure.html#maven_opts-environment-variable https://github.com/tr4l/maven-password https://www.mojohaus.org/exec-maven-plugin/exec-mojo.html