You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This vulnerability poses a risk to the security and integrity of applications that use jave2 library as a dependency.
I am reaching out to discuss the potential steps we can take towards a resolution.
Thank you for your time and dedication to maintaining the high standards of jave2 library. I look forward to your guidance on how best to proceed.
The text was updated successfully, but these errors were encountered:
luzhanov
changed the title
Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599
Security Vulnerability Alert and Request for Fix: SNYK-JAVA-WSSCHILD-6154599 / CVE-2023-48909
Jan 18, 2024
Tha's a rather strange ccv.
It just says that you can run any OS command, when you use the executor class.
That would be the same as reporting a vulnerability in bash, since there you can also run any command...
The java built in Runtime.getRuntime().exec(...) method would then also be security vulnerable
Here are a few suggestions what can potentially be done (not specifically fixing a potential vulnerability, but rather improvements):
Replace Runtime().exec() with ProcessBuilder, something like this:
ProcessBuilder processBuilder = new ProcessBuilder(execList);
ffmpeg = processBuilder.start();
if (destroyOnRuntimeShutdown) {
ffmpegKiller = new ProcessKiller(ffmpeg);
Runtime.getRuntime().addShutdownHook(ffmpegKiller);
}
Implementing characters validation for commands inputted by the user (removing suspicious characters). This may be challenging, as FFMPEG utilizes various characters in its configurations, and some special characters are valid in file names.
Hi @a-schild, I am writing to bring to your attention a recently discovered security vulnerability in
jave2
posted in Snyk database:Vulnerability Details:
Identifier: SNYK-JAVA-WSSCHILD-6154599
Level: CRITICAL
Description: Snyk Vulnerability Report - I'm not 100% sure it is a public link
Description CVE: https://www.cve.org/CVERecord?id=CVE-2023-48909
This vulnerability poses a risk to the security and integrity of applications that use
jave2
library as a dependency.I am reaching out to discuss the potential steps we can take towards a resolution.
Thank you for your time and dedication to maintaining the high standards of
jave2
library. I look forward to your guidance on how best to proceed.The text was updated successfully, but these errors were encountered: