A vulnerability in the Commandline class in plexus-utils could allow an unauthenticated, remote attacker to inject and execute arbitrary shell commands on a tar