Command Injection Vulnerability in Evince PDF Viewer by GNOME
CVE-2017-1000159

7.8HIGH

Key Information:

Vendor

Gnome
Status
Evince
Vendor
CVE Published:
27 November 2017

What is CVE-2017-1000159?

Evince, a PDF viewer developed by GNOME, suffers from a command injection vulnerability that allows malicious users to manipulate filenames when printing to PDF. This flaw potentially enables attackers to execute arbitrary commands on the underlying system by carefully crafting the filenames used. It is essential to update to version 3.25.91 or later to mitigate risks associated with this vulnerability. Security updates have been released to address this issue across various distributions, ensuring that users have the latest protections against exploitation.

References

https://security.gentoo.org/glsa/201804-15
vendor-advisoryx_refsource_GENTOO
https://lists.debian.org/debian-lts-announce/2017/12/msg0...
mailing-listx_refsource_MLIST
https://bugzilla.gnome.org/show_bug.cgi?id=784947
x_refsource_CONFIRM

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.