Improper Neutralization of Null Byte or NUL Character in NuProcess

#VU79653 Improper Neutralization of Null Byte or NUL Character in NuProcess

Published: 2023-08-17

Vulnerability identifier: #VU79653

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-39243

CWE-ID: CWE-158

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
NuProcess
Universal components / Libraries / Programming Languages & Components

Vendor: brettwooldridge

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a missing check in ProcessBuilder.start. A remote unauthenticated attacker can use NUL characters in their strings to perform command line injection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

NuProcess: 1.0.2 - 2.0.4

External links
http://github.com/brettwooldridge/NuProcess/commit/29bc09de561bf00ff9bf77123756363a9709f868
http://github.com/brettwooldridge/NuProcess/security/advisories/GHSA-cxgf-v2p8-7ph7
http://github.com/brettwooldridge/NuProcess/pull/143

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell PowerStore Family