Command Injection Vulnerability in spice-vdagent by FreeDesktop
CVE-2017-15108

7.8HIGH

Key Information:

Vendor: Red Hat
Status: Spice-vdagent
Vendor: CVE Published:; 20 January 2018

What is CVE-2017-15108?

The spice-vdagent component up to version 0.17.0 is susceptible to a command injection vulnerability due to inadequate escaping of the save directory before it is passed to the shell. This weakness allows a local attacker, equipped with access to the session in which the agent operates, to execute arbitrary commands, potentially leading to unauthorized system control or data exposure.

Affected Version(s)

spice-vdagent up to and including 0.17.0

References

https://security.gentoo.org/glsa/201804-09

vendor-advisoryx_refsource_GENTOO

https://cgit.freedesktop.org/spice/linux/vd_agent/commit/...

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2021/01/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2018
Vulnerability Reserved
Oct 8, 2017

Red Hat

What is CVE-2017-15108?

Affected Version(s)

References

CVSS V3.1

Timeline