CVE-2022-39224

Public Exploit

Arbitrary shell execution when extracting or listing files contained in a malicious rpm.

Description

Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious "payload compressor" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool.

References

Link	Tags
https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q	third party advisory exploit
https://github.com/jordansissel/ruby-arr-pm/pull/15	third party advisory patch
https://github.com/jordansissel/ruby-arr-pm/pull/14	third party advisory patch

Frequently Asked Questions

What is the severity of CVE-2022-39224?: CVE-2022-39224 has been scored as a high severity vulnerability.
How to fix CVE-2022-39224?: To fix CVE-2022-39224, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-39224 being actively exploited in the wild?: It is possible that CVE-2022-39224 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39224?: CVE-2022-39224 affects jordansissel ruby-arr-pm.

Description

Category

CWE-78 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

References

Frequently Asked Questions