CVE-2022-29599

CRITICAL

Apache Maven maven-shared-utils <3.3.3 - Command Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-29599. PoCs published by dawetmaster, andikahilmy.

AI-analyzed exploit summary This repository contains the source code for Apache Maven Shared Utils but lacks any exploit code or technical analysis related to CVE-2022-29599. It appears to be a fork or snapshot of the vulnerable version without additional context or PoC.

Description

In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.

Exploits (2)

nomisec STUB
by dawetmaster · poc
https://github.com/dawetmaster/CVE-2022-29599-maven-shared-utils-vulnerable

This repository contains the source code for Apache Maven Shared Utils but lacks any exploit code or technical analysis related to CVE-2022-29599. It appears to be a fork or snapshot of the vulnerable version without additional context or PoC.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Apache Maven Shared Utils
No auth needed
Prerequisites: None
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec WORKING POC
by andikahilmy · poc
https://github.com/andikahilmy/CVE-2022-29599-maven-shared-utils-vulnerable

This repository contains a vulnerable version of Apache Maven Shared Utils, specifically targeting CVE-2022-29599. The code includes the affected files, such as `Commandline.java`, which is known to be vulnerable to command injection due to improper handling of command-line arguments.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Apache Maven Shared Utils (versions prior to 3.3.4)
No auth needed
Prerequisites: Access to a system using the vulnerable version of Maven Shared Utils · Ability to craft malicious input to exploit command injection
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Patch, Vendor Advisory x_refsource_misc
https://issues.apache.org/jira/browse/MSHARED-297
Patch, Third Party Advisory x_refsource_misc
https://github.com/apache/maven-shared-utils/pull/40
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2022/05/23/3
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2022/08/msg00018.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2022/dsa-5242

Scores

CVSS v3 9.8
EPSS 0.0026
EPSS Percentile 49.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-116
Status published
Products (4)
apache/maven_shared_utils < 3.3.3
debian/debian_linux 10.0
debian/debian_linux 11.0
org.apache.maven.shared/maven-shared-utils 0 - 3.3.3Maven
Published May 23, 2022
Tracked Since Feb 18, 2026