ALT-PU-2018-1958-1
Closed vulnerabilities
Published: 2018-05-10
BDU:2020-01814
Уязвимость функции open_envvar инструмента для настройки использования пользовательских приложений по умолчанию xdg-open, позволяющая нарушителю получить несанкционированный доступ к информации и нарушить ее целостность и доступность
Severity: HIGH (8.8)
Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
Published: 2018-05-10
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2017-18266
The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.
Severity: HIGH (8.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
References:
- https://bugs.freedesktop.org/show_bug.cgi?id=103807
- https://bugs.freedesktop.org/show_bug.cgi?id=103807
- https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=5647afb35e4bcba2060148e1a2a47bc43cc240f2
- https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=5647afb35e4bcba2060148e1a2a47bc43cc240f2
- https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb
- https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce802d71c3466d1dbb24f2fe9b6db82a1f899bcb
- https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
- https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
- [debian-lts-announce] 20180525 [SECURITY] [DLA 1384-1] xdg-utils security update
- [debian-lts-announce] 20180525 [SECURITY] [DLA 1384-1] xdg-utils security update
- USN-3650-1
- USN-3650-1
- DSA-4211
- DSA-4211