Command Injection Vulnerability in spice-vdagent by FreeDesktop
CVE-2017-15108

7.8HIGH

Key Information:

Vendor
Red Hat
Vendor
CVE Published:
20 January 2018

Summary

The spice-vdagent component up to version 0.17.0 is susceptible to a command injection vulnerability due to inadequate escaping of the save directory before it is passed to the shell. This weakness allows a local attacker, equipped with access to the session in which the agent operates, to execute arbitrary commands, potentially leading to unauthorized system control or data exposure.

Affected Version(s)

spice-vdagent up to and including 0.17.0

References

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.