CVE-2017-17522Injection in Python

CWE-74InjectionCWE-20Improper Input Validation13 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 29.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
PythonDebian JythonDebian Python2.7+6 more
Timeline
PublishedDec 14
Latest updateMay 14

Description

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

NVDpython/python3.6.3
debiandebian/jython

🔴Vulnerability Details

2
GHSA
GHSA-3qjm-23v2-9v26: ** DISPUTED ** Lib/webbrowser2022-05-14
OSV
CVE-2017-17522: Lib/webbrowser2017-12-14

📋Vendor Advisories

3
Red Hat
python: Command injection in Lib/webbrowser.py2017-12-14
Microsoft
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable which might allow remote attackers to conduct argument-in2017-12-12
Debian
CVE-2017-17522: jython - Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launc...2017

💬Community

7
Bugzilla
CVE-2017-17522 python: Command injection in Lib/webbrowser.py [fedora-all]2017-12-14
Bugzilla
CVE-2017-17522 python35: python: Command injection in Lib/webbrowser.py [fedora-all]2017-12-14
Bugzilla
CVE-2017-17522 python34: python: Command injection in Lib/webbrowser.py [fedora-all]2017-12-14
Bugzilla
CVE-2017-17522 python26: python: Command injection in Lib/webbrowser.py [fedora-all]2017-12-14
Bugzilla
CVE-2017-17522 python: Command injection in Lib/webbrowser.py2017-12-14