Vulnerability Description
JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecure way. For example, the commit message is used in a run statement - resulting in a command injection vulnerability due to string interpolation. No exploitation has been reported. This issue has been addressed in version 1.5.9. Users of JavaCPP Presets are advised to upgrade as a precaution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bytedeco | Javacpp Presets | < 1.5.9 |
Related Weaknesses (CWE)
References
- https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jVendor Advisory
- https://securitylab.github.com/research/github-actions-untrusted-input/ExploitThird Party Advisory
- https://github.com/bytedeco/javacpp-presets/security/advisories/GHSA-36rx-hq22-jVendor Advisory
- https://securitylab.github.com/research/github-actions-untrusted-input/ExploitThird Party Advisory
FAQ
What is CVE-2023-34112?
CVE-2023-34112 is a vulnerability with a CVSS score of 4.3 (MEDIUM). JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecur...
How severe is CVE-2023-34112?
CVE-2023-34112 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-34112?
Check the references section above for vendor advisories and patch information. Affected products include: Bytedeco Javacpp Presets.