cbcvebase.
CVE-2013-2024
published 2019-10-31

CVE-2013-2024: OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.52%
90.3th percentile
OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

Affected

10 ranges
VendorProductVersion rangeFixed in
call-ccchicken<= 4.8.2
chickenchicken
chickenchicken>= 0 < 4.8.0.3-14.8.0.3-1
chickenchicken>= 0 < 4.8.0.3-14.8.0.3-1
chickenchicken>= 0 < 4.8.0.3-14.8.0.3-1
chickenchicken>= 0 < 4.8.0.3-14.8.0.3-1
debianchicken< chicken 4.8.0.3-1 (bookworm)chicken 4.8.0.3-1 (bookworm)
debiandebian_linux
debiandebian_linux
debiandebian_linux

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable component is the 'qs' procedure within the 'utils' module of Chicken (Scheme interpreter) versions before 4.9.0; monitor for OS command injection attempts via this procedure
  • ·Vulnerability is local in scope; exploitation requires local access to the affected system running Chicken before 4.9.0
  • ·Debian fix was applied at package version 4.8.0.3-1 (not upstream 4.9.0); verify the installed Debian package version, not just the upstream Chicken version, when assessing patch status

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
osv8.8HIGH
cisa8.8HIGH
vendor_debian8.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.