CVE-2009-3850
published 2009-11-06CVE-2009-3850: Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action…
PriorityP356critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
9.44%
94.8th percentile
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| blender | blender | — | — |
| blender | blender | — | — |
| blender | blender | — | — |
| blender | blender | — | — |
| debian | blender | — | — |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cfxm-x8mw-xvmf: Blender 2
ghsa_unreviewed·2022-05-02
CVE-2009-3850 [HIGH] CWE-94 GHSA-cfxm-x8mw-xvmf: Blender 2
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
OSV
CVE-2009-3850: Blender 2
osv·2009-11-06·CVSS 9.3
CVE-2009-3850 [CRITICAL] CVE-2009-3850: Blender 2
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
Debian
CVE-2009-3850: blender - Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrar...
vendor_debian·2009·CVSS 9.3
CVE-2009-3850 [CRITICAL] CVE-2009-3850: blender - Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrar...
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to execute arbitrary code via a .blend file that contains Python statements in the onLoad action of a ScriptLink SDNA.
Scope: local
bookworm: open
bullseye: open
sid: open
trixie: open
No detection rules found.
Bugzilla
CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file [epel-all]
bugzilla·2012-08-25·CVSS 9.3
CVE-2009-3850 [CRITICAL] CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file [epel-all]
CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_
Bugzilla
CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
bugzilla·2009-11-06·CVSS 9.3
CVE-2009-3850 [CRITICAL] CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
CVE-2009-3850 Blender: Arbitrary code execution via malicious .blend file
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3850 to
the following vulnerability:
Blender 2.34, 2.35a, 2.40, and 2.49b allows remote attackers to
execute arbitrary code via a .blend file that contains Python
statements in the onLoad action of a ScriptLink SDNA.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3850
http://www.securityfocus.com/archive/1/archive/1/507706/100/0/threaded
http://www.coresecurity.com/content/blender-scripting-injection
http://www.securityfocus.com/bid/36838
Upstream patch:
Not available, see above thread, when searching
for patch addressing the issue.
Discussion:
This issue affects the versions of the Blender package, as shipped with
Fedora r
http://www.coresecurity.com/content/blender-scripting-injectionhttp://www.securityfocus.com/archive/1/507706/100/0/threadedhttp://www.securityfocus.com/bid/36838http://www.coresecurity.com/content/blender-scripting-injectionhttp://www.securityfocus.com/archive/1/507706/100/0/threadedhttp://www.securityfocus.com/bid/36838
2009-11-06
Published