{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-20T14:52:07.398","vulnerabilities":[{"cve":{"id":"CVE-2022-39224","sourceIdentifier":"security-advisories@github.com","published":"2022-09-21T23:15:09.623","lastModified":"2024-11-21T07:17:49.317","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"Arr-pm is an RPM reader/writer library written in Ruby. Versions prior to 0.0.12 are subject to OS command injection resulting in shell execution if the RPM contains a malicious \"payload compressor\" field. This vulnerability impacts the `extract` and `files` methods of the `RPM::File` class of this library. Version 0.0.12 patches these issues. A workaround for this issue is to ensure any RPMs being processed contain valid/known payload compressor values such as gzip, bzip2, xz, zstd, and lzma. The payload compressor field in an rpm can be checked by using the rpm command line tool."},{"lang":"es","value":"Arr-pm es una biblioteca de lectura/escritura de RPM escrita en Ruby. Las versiones anteriores a 0.0.12 están sujetas a una inyección de comandos del Sistema Operativo, resultando en una ejecución de shell si el RPM contiene un campo \"payload compressor\" malicioso. Esta vulnerabilidad afecta a los métodos \"extract\" y \"files\" de la clase \"RPM::File\" de esta biblioteca. La versión 0.0.12 parchea estos problemas. Una mitigación para este problema es asegurarse de que cualquier RPM que es procedido contenga valores de compresores de carga útil válidos/conocidos como gzip, bzip2, xz, zstd y lzma. El campo del compresor de carga útil en un rpm puede comprobarse al usar la herramienta de línea de comandos rpm"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.0,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.0,"impactScore":5.9},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ruby-arr-pm_project:ruby-arr-pm:*:*:*:*:*:ruby:*:*","versionEndExcluding":"0.0.12","matchCriteriaId":"0DCB3286-980B-4B5B-8A8E-128C03D4B03F"}]}]}],"references":[{"url":"https://github.com/jordansissel/ruby-arr-pm/pull/14","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/jordansissel/ruby-arr-pm/pull/15","source":"security-advisories@github.com","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q","source":"security-advisories@github.com","tags":["Exploit","Third Party Advisory"]},{"url":"https://github.com/jordansissel/ruby-arr-pm/pull/14","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/jordansissel/ruby-arr-pm/pull/15","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch","Third Party Advisory"]},{"url":"https://github.com/jordansissel/ruby-arr-pm/security/advisories/GHSA-88cv-mj24-8w3q","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Third Party Advisory"]}]}}]}