CVE-2012-4463 — Improper Input Validation in Midnight Commander

CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.1MEDIUMNVD

EPSS

0.6%

top 29.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian MC Midnight-commander Midnight Commander

Timeline

PublishedOct 10

Latest updateMay 17

Description

Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

▶NVDmidnight-commander/midnight_commander4.8.5

▶debiandebian/mc< mc 3:4.8.8-1 (bookworm)

🔴Vulnerability Details

GHSA

GHSA-rmf6-73g7-v4xm: Midnight Commander (mc) 4↗2022-05-17

▶

OSV

CVE-2012-4463: Midnight Commander (mc) 4↗2012-10-10

▶

📋Vendor Advisories

Red Hat

mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files↗2012-09-28

▶

Debian

CVE-2012-4463: mc - Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED o...↗2012

▶

💬Community

Bugzilla

CVE-2012-4463 mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files [fedora-all]↗2012-10-03

▶

Bugzilla

CVE-2012-4463 mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files↗2012-10-03

▶