#VU79653 Improper Neutralization of Null Byte or NUL Character in NuProcess - CVE-2022-39243

Cybersecurity Help s.r.o.

Published: 2023-08-17

Vulnerability identifier: #VU79653

Vulnerability risk: High

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-39243

CWE-ID: CWE-158

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NuProcess
Universal components / Libraries / Programming Languages & Components

Vendor: brettwooldridge

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a missing check in ProcessBuilder.start. A remote unauthenticated attacker can use NUL characters in their strings to perform command line injection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

NuProcess: 1.0.2 - 2.0.4

External links
https://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868
https://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7
https://github.com/brettwooldridge/NuProcess/pull/143

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell PowerStore Family