NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVMs Java_java_lang_UNIXProcess_forkAndExec method (1.2.0+), attackers can use NUL characters in their strings to perform command line injection. Javas ProcessBuilder isnt vulnerable because of a check in ProcessBuilder.start. NuProcess is missing that check. This vulnerability can only be exploited to inject command line arguments on Linux. Version 2.0.5 contains a patch. As a workaround, users of the library can sanitize command strings to remove NUL characters prior to passing them to NuProcess for execution.
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nuprocess | Nuprocess_project | 1.2.0 (including) | 2.0.5 (excluding) |
Watchman | Ubuntu | kinetic | * |
Watchman | Ubuntu | lunar | * |
Watchman | Ubuntu | mantic | * |
Watchman | Ubuntu | trusty | * |
Watchman | Ubuntu | xenial | * |
Command injection vulnerabilities typically occur when:
Many protocols and products have their own custom command language. While OS or shell command strings are frequently discovered and targeted, developers may not realize that these other command languages might also be vulnerable to attacks. Command injection is a common problem with wrapper programs.