CVE-2022-39224

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/jordansissel/ruby-arr-pm/pull/14	Patch Third Party Advisory
https://github.com/jordansissel/ruby-arr-pm/pull/15	Patch Third Party Advisory
https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q	Exploit Third Party Advisory
https://github.com/jordansissel/ruby-arr-pm/pull/14	Patch Third Party Advisory
https://github.com/jordansissel/ruby-arr-pm/pull/15	Patch Third Party Advisory
https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*

History

21 Nov 2024, 07:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-21 23:15

Updated : 2024-11-21 07:17

NVD link : CVE-2022-39224

Mitre link : CVE-2022-39224

CVE.ORG link : CVE-2022-39224

JSON object : View

Products Affected

ruby-arr-pm_project

ruby-arr-pm

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2022-39224", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2022-09-21T23:15:09.623", "references": [{"url": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "tags": ["Patch", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/14", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/pull/15", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."}, {"lang": "es", "value": "Arr-pm es una biblioteca de lectura/escritura de RPM escrita en Ruby. Las versiones anteriores a 0.0.12 est\u00e1n sujetas a una inyecci\u00f3n de comandos del Sistema Operativo, resultando en una ejecuci\u00f3n de shell si el RPM contiene un campo \"payload compressor\" malicioso. Esta vulnerabilidad afecta a los m\u00e9todos \"extract\" y \"files\" de la clase \"RPM::File\" de esta biblioteca. La versi\u00f3n 0.0.12 parchea estos problemas. Una mitigaci\u00f3n para este problema es asegurarse de que cualquier RPM que es procedido contenga valores de compresores de carga \u00fatil v\u00e1lidos/conocidos como gzip, bzip2, xz, zstd y lzma. El campo del compresor de carga \u00fatil en un rpm puede comprobarse al usar la herramienta de l\u00ednea de comandos rpm"}], "lastModified": "2024-11-21T07:17:49.317", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "0DCB3286-980B-4B5B-8A8E-128C03D4B03F", "versionEndExcluding": "0.0.12"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}