cbcvebase.
CVE-2017-17513
published 2017-12-14

CVE-2017-17513: TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote…

PriorityP339high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EPSS
1.28%
66.4th percentile
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.

Affected

4 ranges
VendorProductVersion rangeFixed in
debiancontext
debiantexlive-base
debiantexlive-bin
tugtex_live<= 20170524

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8LOW
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.