You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Affected Alluxio Version:
All the version before the latest(2.9.3).
Describe the vulnerability
Passing username with special characters of unix shell as parameter of alluxio.util.CommonUtils.getUnixGroups(java.lang.String) can inject malicious commands. For example, the following code
CommonUtils.getUnixGroups("| echo 123");
would finally execute bash -c id -gn | echo 123; id -Gn. Therefore malicious code echo 123 is executed.
To Reproduce
Just execute alluxio.util.CommonUtils.getUnixGroups("| echo 123") would reproduce it.
Are you planning to fix it
I've already submitted a pull request. See #17256.
The text was updated successfully, but these errors were encountered:
Affected Alluxio Version:
All the version before the latest(2.9.3).
Describe the vulnerability
Passing username with special characters of unix shell as parameter of
alluxio.util.CommonUtils.getUnixGroups(java.lang.String)
can inject malicious commands. For example, the following codeCommonUtils.getUnixGroups("| echo 123");
would finally execute
bash -c id -gn | echo 123; id -Gn
. Therefore malicious codeecho 123
is executed.To Reproduce
Just execute
alluxio.util.CommonUtils.getUnixGroups("| echo 123")
would reproduce it.Are you planning to fix it
I've already submitted a pull request. See #17256.
The text was updated successfully, but these errors were encountered: