Argument Injection Vulnerability in xdg-open Affected by XDG Utils
CVE-2017-18266

8.8HIGH

Key Information:

Vendor

Freedesktop

Status
Xdg-utils
Vendor
CVE Published:
10 May 2018
đź”” Create Freedesktop Vulnerability Alert

What is CVE-2017-18266?

The open_envvar function in xdg-open, part of the xdg-utils suite prior to version 1.1.3, fails to properly validate strings from the BROWSER environment variable before executing them. This oversight invites remote attackers to exploit the vulnerability through crafted URLs, potentially leading to argument injection attacks. Such vulnerabilities allow malicious entities to execute arbitrary commands, emphasizing the need for strict input validation and appropriate security measures.

References

https://cgit.freedesktop.org/xdg/xdg-utils/commit/?id=ce8...
x_refsource_MISC
https://cgit.freedesktop.org/xdg/xdg-utils/tree/ChangeLog
x_refsource_MISC
https://usn.ubuntu.com/3650-1/
vendor-advisoryx_refsource_UBUNTU

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.