Arbitrary Code Execution Affecting org.codehaus.mojo:exec-maven-plugin package, versions [,1.2)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
1.12% (85th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGCODEHAUSMOJO-540747
  • published6 Jan 2020
  • disclosed6 Jan 2020
  • creditUnknown

Introduced: 6 Jan 2020

CVE-2019-20343  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade org.codehaus.mojo:exec-maven-plugin to version 1.2 or higher.

Overview

org.codehaus.mojo:exec-maven-plugin is a plugin that provides 2 goals to help execute system and Java programs

Affected versions of this package are vulnerable to Arbitrary Code Execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element).

References

CVSS Scores

version 3.1