Shell Metacharacter Injection in Kiwi by SUSE
CVE-2011-3180

Currently unrated

Key Information:

Vendor: Suse
Status: Studio Extension For System Z; Studio Onsite; Kiwi
Vendor: CVE Published:; 16 April 2014

Summary

A vulnerability exists in Kiwi that allows an attacker to execute arbitrary commands by manipulating shell metacharacters in the path of an overlay file. This affects versions of Kiwi prior to 4.98.08, as well as SUSE Studio Onsite and SUSE Studio Extension for System z versions prior to their respective 1.2.1 updates. This issue poses a significant risk, as it enables unauthorized command execution, bypassing typical security controls.

References

http://www.openwall.com/lists/oss-security/2011/11/02/4

mailing-listx_refsource_MLIST

https://github.com/openSUSE/kiwi/commit/f0f74b3f6ac6d47f7...

x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2011...

vendor-advisoryx_refsource_SUSE

Timeline

Vulnerability published
Apr 16, 2014
Vulnerability Reserved
Aug 19, 2011