CVE-2015-1877 — Command Injection in Xdg-utils

CWE-77 — Command Injection7 documents6 sources

Severity

8.8HIGHNVD

EPSS

1.7%

top 17.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Xdg-utils Debian Xdg-utils Debian Linux

Timeline

PublishedJun 2

Latest updateMay 24

Description

The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian, when using dash, does not properly handle local variables, which allows remote attackers to execute arbitrary commands via a crafted file.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/xdg-utils< xdg-utils 1.1.0~rc1+git20111210-7.4 (bookworm)

▶Debianfreedesktop/xdg-utils< 1.1.0~rc1+git20111210-7.4+3

▶NVDfreedesktop/xdg-utils1.1.0

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: www.openwall.com ↗Patch: www.openwall.com ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-2mj7-mx8w-ppw2: The open_generic_xdg_mime function in xdg-open in xdg-utils 1↗2022-05-24

▶

OSV

CVE-2015-1877: The open_generic_xdg_mime function in xdg-open in xdg-utils 1↗2021-06-02

▶

📋Vendor Advisories

Red Hat

xdg-utils: command injection vulnerability due to local variables collision in xdg-open↗2015-02-11

▶

Debian

CVE-2015-1877: xdg-utils - The open_generic_xdg_mime function in xdg-open in xdg-utils 1.1.0 rc1 in Debian,...↗2015

▶

💬Community

Bugzilla

CVE-2015-1877 xdg-utils: command injection vulnerability due to local variables collision in xdg-open [fedora-all]↗2015-02-19

▶

Bugzilla

CVE-2015-1877 xdg-utils: command injection vulnerability due to local variables collision in xdg-open↗2015-02-19

▶