SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871

SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871 PUBLISHED CVSS 5.599999904632568 MEDIUM

## Overview Affected versions of this package are vulnerable to Remote Code Execution (RCE) via the `isDockerInstalled` function, due to attempting to execute input. ## PoC: ```java public static void poc(){ Path path = Paths.get("whoami"); DockerClient.isDockerInstalled(path); } ``` ## Remediation Upgrade `com.google.cloud.tools:jib-core` to version 0.22.0 or higher. ## References - [GitHub Commit](https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf) - [GitHub PR](https://github.com/GoogleContainerTools/jib/pull/3744)

Risk Scores

CVSS v3.1

5.599999904632568

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected Products

Vendor	Product	Versions
		0

Timeline

Aug 3, 2022 CVE Updated
Sep 7, 2022 CVE Published

References

https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECLOUDTOOLS-2968871 advisory
https://learn.snyk.io/lesson/malicious-code-injection/ technical
https://github.com/GoogleContainerTools/jib/commit/67fa40bc2c484da0546333914ea07a89fe44eaaf patch
https://github.com/GoogleContainerTools/jib/pull/3744 patch

Open in Interactive Console →