LOTP

maven

cli eval-sh env-var config-file

References

Config file

In pom.xml, plugins can be added. The plugin org.codehaus.mojo/exec-maven-plugin can be used to run shell commands. For example, running the env command after the clean phase:

<build>
  <plugins>
    [...]
    <plugin>
      <groupId>org.codehaus.mojo</groupId>
      <artifactId>exec-maven-plugin</artifactId>
      <version>3.1.1</version>
      <executions>
        <execution>
          <id>run-after-clean</id>
          <phase>clean</phase>
          <goals>
            <goal>exec</goal>
          </goals>
          <configuration>
            <executable>sh</executable>
            <arguments>
              <argument>-xc</argument>
              <argument>env</argument>
            </arguments>
          </configuration>
        </execution>
      </executions>
    </plugin>
    [...]
  </plugins>
</build>

Environment poisoning

If the attacker has control over the environment variable, since version 3.9, MAVEN_ARGS can be used to inject a plugin and gain RCE. In Gitlab, the previous version of Mavan can be used with MAVEN_CLI_OPTS, see this example.

export MAVEN_ARGS="org.codehaus.mojo:exec-maven-plugin:3.2.0:exec -Dexec.executable=/bin/sh"
Edit this page on GitHub