CVE-2014-9622 — Command Injection in Xdg-utils

CWE-77 — Command Injection CWE-95 — Eval Injection6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

1.7%

top 17.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Xdg-utils Debian Xdg-utils Gentoo Xdg-utils

Timeline

PublishedJan 21

Latest updateMay 17

Description

Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶Debianfreedesktop/xdg-utils< 1.1.0~rc1+git20111210-7.3+3

▶debiandebian/xdg-utils< xdg-utils 1.1.0~rc1+git20111210-7.3 (bookworm)

▶NVDgentoo/xdg-utils1.1.0

🔴Vulnerability Details

GHSA

GHSA-q937-m2fx-r449: Eval injection vulnerability in xdg-utils 1↗2022-05-17

▶

OSV

CVE-2014-9622: Eval injection vulnerability in xdg-utils 1↗2015-01-21

▶

📋Vendor Advisories

Debian

CVE-2014-9622: xdg-utils - Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop e...↗2014

▶

Red Hat

xdg-utils: Eval injection in xdg-open allows arbitrary command execution on crafted URL↗2013-06-10

▶

💬Community

Bugzilla

CVE-2014-9622 xdg-utils: Eval injection in xdg-open allows arbitrary command execution on crafted URL↗2015-01-19

▶