CVE-2022-39224

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*

History

26 Sep 2022, 13:41

Type Values Removed Values Added
References (CONFIRM) https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q - (CONFIRM) https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q - Exploit, Third Party Advisory
References (MISC) https://github.com/jordansissel/ruby-arr-pm/pull/15 - (MISC) https://github.com/jordansissel/ruby-arr-pm/pull/15 - Patch, Third Party Advisory
References (MISC) https://github.com/jordansissel/ruby-arr-pm/pull/14 - (MISC) https://github.com/jordansissel/ruby-arr-pm/pull/14 - Patch, Third Party Advisory
CWE CWE-78
First Time Ruby-arr-pm Project ruby-arr-pm
Ruby-arr-pm Project
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.8
CPE cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*

22 Sep 2022, 00:15

Type Values Removed Values Added
Summary Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool. Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

21 Sep 2022, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-09-21 23:15

Updated : 2023-12-10 14:35


NVD link : CVE-2022-39224

Mitre link : CVE-2022-39224

CVE.ORG link : CVE-2022-39224


JSON object : View

Products Affected

ruby-arr-pm_project

  • ruby-arr-pm
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')