{"id":"CVE-2017-1000487","details":"Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.","aliases":["GHSA-8vhq-qq4p-grq3"],"modified":"2026-04-10T03:56:07.858350Z","published":"2018-01-03T20:29:00.703Z","related":["SNYK-JAVA-ORGCODEHAUSPLEXUS-31522"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r2e94f72f53df432302d359fd66cfa9e9efb8d42633d54579a4377e62%40%3Cdev.avro.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r9584c4304c888f651d214341a939bd264ed30c9e3d0d30fe85097ecf%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/01/msg00010.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/01/msg00011.html"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4146"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4149"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:1322"},{"type":"FIX","url":"https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-31522"},{"type":"FIX","url":"https://github.com/codehaus-plexus/plexus-utils/commit/b38a1b3a4352303e4312b2bb601a0d7ec6e28f41"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/codehaus-plexus/plexus-utils","events":[{"introduced":"0"},{"fixed":"cf317f9b4070c3c619e9ee75a3e38bea3ff621c1"},{"fixed":"b38a1b3a4352303e4312b2bb601a0d7ec6e28f41"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.0.16"}]}}],"versions":["plexus-utils-2.0.7","plexus-utils-2.1","plexus-utils-3.0","plexus-utils-3.0.1","plexus-utils-3.0.10","plexus-utils-3.0.11","plexus-utils-3.0.12","plexus-utils-3.0.13","plexus-utils-3.0.14","plexus-utils-3.0.15","plexus-utils-3.0.2","plexus-utils-3.0.3","plexus-utils-3.0.4","plexus-utils-3.0.5","plexus-utils-3.0.6","plexus-utils-3.0.7","plexus-utils-3.0.8","plexus-utils-3.0.9"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-1000487.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}