Affected Version
The latest version 0.2.5 and below.
Describe the vulnerability
There is a method, org.jcodec.testing.TestTool.main1, designed to compare results of jcodec and jm. However, passing an unchecked argument to this API can lead to the execution of arbitrary commands. For instance, following codes can open ten calculators on Windows:
TestTool.main1(new String[]{"C:/Windows/System32/cmd.exe /c \"for /l %i in (1, 1, 10) do calc\"",
"E:/foo/bar.mp4",
"E:/foo"});Potential Danger
Remote Code Injection (RCE).
To Reproduce
Just execute above codes would reproduce it.
Fix Suggestion
There are two ways to resolve this issue. First, I strongly recommend that you can move TestTool.java from src/main/java/... to src/test/java/..., because it seems that the exposure of this API in production environment is not necessary. Or, you can simply delete TestTool.java and all codes related to it.
Affected Version
The latest version 0.2.5 and below.
Describe the vulnerability
There is a method,
org.jcodec.testing.TestTool.main1, designed to compare results ofjcodecandjm. However, passing an unchecked argument to this API can lead to the execution of arbitrary commands. For instance, following codes can open ten calculators on Windows:Potential Danger
Remote Code Injection (RCE).
To Reproduce
Just execute above codes would reproduce it.
Fix Suggestion
There are two ways to resolve this issue. First, I strongly recommend that you can move
TestTool.javafromsrc/main/java/...tosrc/test/java/..., because it seems that the exposure of this API in production environment is not necessary. Or, you can simply deleteTestTool.javaand all codes related to it.