Remote Code Execution (RCE) Affecting com.google.cloud.tools:jib-core package, versions [,0.22.0)
Threat Intelligence
EPSS
2.46% (91st
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871
- published 7 Sep 2022
- disclosed 3 Aug 2022
- credit altman
Introduced: 3 Aug 2022
CVE-2022-25914 Open this link in a new tabHow to fix?
Upgrade com.google.cloud.tools:jib-core
to version 0.22.0 or higher.
Overview
Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the isDockerInstalled
function, due to attempting to execute input.
PoC:
public static void poc(){
Path path = Paths.get("whoami");
DockerClient.isDockerInstalled(path);
}
References
CVSS Scores
version 3.1