Atril's CBT comic book parsing vulnerable to Remote Code Execution
CVE-2023-51698

9.6CRITICAL

Key Information:

Vendor

Mate-desktop

Status
Atril
Vendor
CVE Published:
12 January 2024

What is CVE-2023-51698?

Atril, the multi-page document viewer utilized in various Linux environments, has been identified with a command injection vulnerability. This security flaw occurs when a user opens a specially crafted CBT document, which is stored as a TAR archive. An attacker can exploit this weakness to gain unauthorized access to the system, posing a risk of potential data breaches and compromise of system integrity. Users are strongly urged to apply the patches made available in commit ce41df6 to mitigate this vulnerability.

Affected Version(s)

atril <= 1.26.3

References

https://github.com/mate-desktop/atril/security/advisories...
x_refsource_CONFIRM
https://github.com/mate-desktop/atril/commit/ce41df646752...
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.