Potential command line injection from secret

### Description

Mirror of `TOB-JKUBE-2`.

As part of the Spring Boot watcher functionality, JKube executes a second Java process. The
command line for this process is crafted in an unsafe way, by interpolating an arbitrary
secret in the command line. This command line is then tokenized by separating on spaces.
If the secret contains spaces, this can allow an attacker to add arbitrary arguments and
command line flags and modify the behavior of this command execution.

https://github.com/eclipse/jkube/blob/12edf4a2f947ad1e0b2b44d8317a6052097f93af/jkube-kit/jkube-kit-spring-boot/src/main/java/org/eclipse/jkube/springboot/watcher/SpringBootWatcher.java#L163-L166



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Potential command line injection from secret #2166

Description

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Potential command line injection from secret #2166

Description

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions