CVE-2005-2929OS Command Injection in Lynx

CWE-264CWE-78OS Command Injection12 documents5 sources
Severity
10.0CRITICALNVD
NVD7.5
EPSS
6.0%
top 9.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
LynxUniversity OF Kansas LynxDebian Lynx
Timeline
PublishedNov 18
Latest updateMay 17

Description

Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to execute arbitrary commands via (1) lynxcgi:, (2) lynxexec, and (3) lynxprog links, which are not properly restricted in the default configuration in some environments.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

NVDlynx/lynx2.8.6+6
debiandebian/lynx
NVDuniversity_of_kansas/lynx2.8.5, 2.8.6, 2.8.6_dev13+2

Patches

Patch: www.idefense.comPatch: www.idefense.com

🔴Vulnerability Details

2
GHSA
GHSA-wjrg-f7gg-3p35: lynx 22022-05-17
GHSA
GHSA-f56f-988c-jq3p: Lynx 22022-05-03

📋Vendor Advisories

4
Red Hat
lynx: remote arbitrary command execution via a crafted lynxcgi: URL2008-10-09
Debian
CVE-2008-4690: lynx - lynx 2.8.6dev.15 and earlier, when advanced mode is enabled and lynx is configur...2008
Red Hat
lynx arbitrary command execution2005-11-11
Debian
CVE-2005-2929: lynx - Lynx 2.8.5, and other versions before 2.8.6dev.15, allows remote attackers to ex...2005

💬Community

4
Bugzilla
CVE-2008-4690 lynx: remote arbitrary command execution via a crafted lynxcgi: URL2008-10-23
Bugzilla
CVE-2005-2929 lynx arbitrary command execution2005-11-11
Bugzilla
CVE-2005-2929 lynx arbitrary command execution2005-11-11
Bugzilla
Lynx issues (CVE-2005-2929 and CVE-2005-3120)2004-10-29