Advisories for Maven/Com.diffplug.gradle/Goomph package

2022

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

This affects the package com.diffplug.gradle:goomph before 3.37.2. It allows a malicious zip file to potentially break out of the expected destination directory, writing contents into arbitrary locations on the file system. Overwriting certain files/directories could allow an attacker to achieve remote code execution on a target system by exploiting this vulnerability. Note: This could have allowed a malicious zip file to extract itself into an arbitrary directory. The only file …