Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2017-1000487 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue affects the versions of plexus-utils as shipped with Red Hat Enterprise Linux 7 as well as Red Hat Satellite 6.0 and 6.1. Red Hat Satellite 6.2 and later do not ship plexus-utils, as such they are not affected by this vulnerability. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
| CVSS3 Base Score | 7.8 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Fuse 6.3 | RHSA-2018:1322 | 2018-05-03 |
| Red Hat JBoss A-MQ 6.3 | RHSA-2018:1322 | 2018-05-03 |
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | plexus-utils | Not affected |
| Red Hat Single Sign-On 7 | plexus-utils | Not affected |
| Red Hat Satellite 6 | plexus-utils | Not affected |
| Red Hat OpenStack Platform 9.0 | opendaylight | Will not fix |
| Red Hat OpenStack Platform 8.0 (Liberty) | opendaylight | Will not fix |
| Red Hat JBoss Portal Platform 6 | plexus-utils | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | plexus-utils | Will not fix |
| Red Hat JBoss Data Virtualization 6 | plexus-utils | Not affected |
| Red Hat JBoss BRMS 6 | plexus-utils | Not affected |
| Red Hat JBoss BPMS 6 | plexus-utils | Not affected |
| Red Hat Enterprise Linux 7 | plexus-utils | Will not fix |
Vulmon