Command Injection Vulnerability in Linux Mint mintupload Package
CVE-2024-36053

9CRITICAL

Key Information:

Vendor: Linux Mint
Vendor: CVE Published:; 19 May 2024

What is CVE-2024-36053?

A vulnerability has been identified in the mintupload package for Linux Mint versions up to 4.2.0. This issue arises due to improper handling of service names, which can lead to command injection through the inclusion of shell metacharacters. Specifically, a user is able to manipulate a service name defined in a configuration file located at ~/.linuxmint/mintUpload/services/service. This manipulation allows potentially harmful commands to be executed within the system, compromising its security. The affected functions include check_connection, drop_data_received_cb, and Service.remove, which are susceptible to exploitation due to this oversight. Users of Linux Mint are encouraged to review their configurations and apply necessary mitigations.

References

https://github.com/linuxmint/mintupload/issues/42

https://github.com/linuxmint/mintupload/issues/43

http://packages.linuxmint.com/pool/main/m/mintupload/

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2024