Code Injection Vulnerability in PyXDG Affects Multiple Configurations
CVE-2019-12761

7.5HIGH

Key Information:

Vendor
Python
Status
Pyxdg
Vendor
CVE Published:
6 June 2019

Summary

A code injection issue exists in the PyXDG library before version 0.26. This vulnerability can be exploited via specifically crafted Python code embedded in the Category element of Menu XML documents found in .menu files. The flaw arises from inadequate input sanitization in the xdg/Menu.py module prior to calling the eval function. To trigger this vulnerability, the XDG_CONFIG_DIRS environment variable must be configured to lead xdg.Menu.parse to inspect the directory containing the affected files.

References

https://gist.github.com/dhondta/b45cd41f4186110a354dc7272...
x_refsource_MISC
https://snyk.io/vuln/SNYK-PYTHON-PYXDG-174562
x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2019/06/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.