CVE-2014-3121 — OS Command Injection in Rxvt-unicode

CWE-78 — OS Command Injection7 documents5 sources

Severity

7.6HIGHNVD

EPSS

3.3%

top 12.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rxvt-unicode Project Rxvt-unicode Debian Rxvt-unicode Marc Lehmann Rxvt-unicode

Timeline

PublishedMay 14

Latest updateMay 14

Description

rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands.

CVSS vector

AV:N/AC:H/C:C/I:C/A:CExploitability: 4.9 | Impact: 10.0

Affected Packages3 packages

▶debiandebian/rxvt-unicode< rxvt-unicode 9.20-1 (bookworm)

▶Debianrxvt-unicode_project/rxvt-unicode< 9.20-1+3

▶NVDmarc_lehmann/rxvt-unicode9.19+16

🔴Vulnerability Details

GHSA

GHSA-rjvw-jwff-pvpc: rxvt-unicode before 9↗2022-05-14

▶

OSV

CVE-2014-3121: rxvt-unicode before 9↗2014-05-14

▶

📋Vendor Advisories

Debian

CVE-2014-3121: rxvt-unicode - rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which al...↗2014

▶

💬Community

Bugzilla

CVE-2014-3121 rxvt-unicode: user-assisted arbitrary commands execution [fedora-all]↗2014-05-01

▶

Bugzilla

CVE-2014-3121 rxvt-unicode: user-assisted arbitrary commands execution↗2014-05-01

▶

Bugzilla

CVE-2014-3121 rxvt-unicode: user-assisted arbitrary commands execution [epel-all]↗2014-05-01

▶