Remote Code Execution Vulnerability in Atril's EPUB ebook parsing
CVE-2023-52076

8.5HIGH

Key Information:

Vendor

Mate-desktop

Status
Atril
Vendor
CVE Published:
25 January 2024

What is CVE-2023-52076?

Atril Document Viewer, the default document reader for the MATE desktop environment in Linux, is affected by a path traversal and arbitrary file write vulnerability in versions prior to 1.26.2. Attackers can exploit this flaw to write arbitrary files anywhere on the filesystem that the user has access to while opening a specially crafted document. Although existing files cannot be overwritten, this vulnerability significantly increases the risk of remote command execution on the compromised system. The latest version, 1.26.2, includes a patch that mitigates this security issue.

Affected Version(s)

atril < 1.26.2

References

https://github.com/mate-desktop/atril/security/advisories...
x_refsource_CONFIRM
https://github.com/mate-desktop/atril/commit/e70b21c81541...
x_refsource_MISC
https://github.com/mate-desktop/atril/releases/tag/v1.26.2
x_refsource_MISC

EPSS Score

13% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.