Command Injection Vulnerability in Linux Mint mintupload Package

CVE-2024-36053

Summary

A vulnerability has been identified in the mintupload package for Linux Mint versions up to 4.2.0. This issue arises due to improper handling of service names, which can lead to command injection through the inclusion of shell metacharacters. Specifically, a user is able to manipulate a service name defined in a configuration file located at ~/.linuxmint/mintUpload/services/service. This manipulation allows potentially harmful commands to be executed within the system, compromising its security. The affected functions include check_connection, drop_data_received_cb, and Service.remove, which are susceptible to exploitation due to this oversight. Users of Linux Mint are encouraged to review their configurations and apply necessary mitigations.

References