Headline
CVE-2022-25914: Check if file exists when executable path is passed in through jib dockerClient.executable by mpeddada1 · Pull Request #3744 · GoogleContainerTools/jib
The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.
Conversation
*
* @return {@code true} if Docker is installed on the user’s system and accessible
*/
public static boolean isDefaultDockerInstalled() {
return isDockerInstalled(DEFAULT_DOCKER_CLIENT);
try {
new ProcessBuilder(DEFAULT_DOCKER_CLIENT.toString()).start();
*
* @return {@code true} if Docker is installed on the user’s system and accessible
*/
public static boolean isDefaultDockerInstalled() {
return isDockerInstalled(DEFAULT_DOCKER_CLIENT);
try {
new ProcessBuilder(DEFAULT_DOCKER_CLIENT.toString()).start();
This was referenced
Aug 25, 2022
mpeddada1 marked this pull request as ready for review
Aug 25, 2022
Related news
Red Hat Security Advisory 2023-0471-01 - An update is now available for Migration Toolkit for Runtimes (v1.0.1). Issues addressed include a denial of service vulnerability.
An update is now available for Migration Toolkit for Runtimes (v1.0.1). Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3517: nodejs-minimatch: ReDoS via the braceExpand function * CVE-2022-25914: jib-core: RCE via the isDockerInstalled * CVE-2022-37603: loader-utils:Regular expression denial of service * CVE-2022-42003: jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS * CVE-2022-42004: jackson-databind: use of deeply nested arrays * CVE-2022...
The package com.google.cloud.tools:jib-core before 0.22.0 are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled function, due to attempting to execute input.