How severe is CVE-2022-39243?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2022-39243?

This is classified as CWE-77, which is a common weakness in software security.

CVE-2022-39243 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Java's ProcessBuilder isn't vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.

Related Vulnerabilities

CVE-2005-2773

CRITICAL

CVSS:9.8(Critical)

HP OpenView Network Node Manager 6.2 through 7.50 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) node parameter to connectedNodes.ovpl, (2) cdpView.ovpl, (3)...

CWE-772005

CVE-2007-3010

CRITICAL

CVSS:9.8(Critical)

masterCGI in the Unified Maintenance Tool in Alcatel OmniPCX Enterprise Communication Server R7.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the user...

CWE-772007

CVE-2008-7313

CRITICAL

CVSS:9.8(Critical)

The _httpsrequest function in Snoopy allows remote attackers to execute arbitrary commands. NOTE: this issue exists dues to an incomplete fix for CVE-2008-4796.

CWE-772008

CVE-2008-7315

CRITICAL

CVSS:9.8(Critical)

UI-Dialog 1.09 and earlier allows remote attackers to execute arbitrary commands.

CWE-772008

CVE-2008-7319

CRITICAL

CVSS:9.8(Critical)

The Net::Ping::External extension through 0.15 for Perl does not properly sanitize arguments (e.g., invalid hostnames) containing shell metacharacters before use of backticks in External.pm, allowing ...

CWE-772008

CVE-2009-5156

CRITICAL

CVSS:9.8(Critical)

An issue was discovered on ASMAX AR-804gu 66.34.1 devices. There is Command Injection via the cgi-bin/script query string.

CWE-772009