CVE-2017-18266 — Injection in Xdg-utils

CWE-74 — Injection CWE-88 — Argument Injection8 documents7 sources

Severity

8.8HIGHNVD

EPSS

1.0%

top 22.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Xdg-utils Debian Xdg-utils Canonical Ubuntu Linux +1 more

Timeline

PublishedMay 10

Latest updateMay 14

Description

The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by %s in this environment variable.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/xdg-utils< xdg-utils 1.1.3-1 (bookworm)

▶NVDfreedesktop/xdg-utils< 1.1.3

▶Debianfreedesktop/xdg-utils< 1.1.3-1+3

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 17.10, 18.04

Patches

Patch: bugs.freedesktop.org ↗Patch: cgit.freedesktop.org ↗Patch: bugs.freedesktop.org ↗

🔴Vulnerability Details

GHSA

GHSA-76r6-j2q8-m63q: The open_envvar function in xdg-open in xdg-utils before 1↗2022-05-14

▶

OSV

CVE-2017-18266: The open_envvar function in xdg-open in xdg-utils before 1↗2018-05-10

▶

📋Vendor Advisories

Ubuntu

xdg-utils vulnerability↗2018-05-21

▶

Red Hat

xdg-utils: Argument injection vulnerability in open_envvar() function↗2017-11-18

▶

Debian

CVE-2017-18266: xdg-utils - The open_envvar function in xdg-open in xdg-utils before 1.1.3 does not validate...↗2017

▶

💬Community

Bugzilla

CVE-2017-18266 xdg-utils: Argument injection vulnerability in open_envvar() function [fedora-all]↗2018-05-16

▶

Bugzilla

CVE-2017-18266 xdg-utils: Argument injection vulnerability in open_envvar() function↗2018-05-16

▶