CVE-2017-9736 — OS Command Injection in Spip

CWE-78 — OS Command Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

4.1%

top 11.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Spip Debian Spip

Timeline

PublishedJun 17

Latest updateMay 17

Description

SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/spip< spip 3.1.4-3 (bullseye)

▶Debianspip/spip< 3.1.4-3+2

▶NVDspip/spip8 versions+7

Patches

Patch: core.spip.net ↗Patch: core.spip.net ↗Patch: core.spip.net ↗

🔴Vulnerability Details

GHSA

GHSA-x85m-mcx3-934m: SPIP 3↗2022-05-17

▶

OSV

CVE-2017-9736: SPIP 3↗2017-06-17

▶

📋Vendor Advisories

Debian

CVE-2017-9736: spip - SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharac...↗2017

▶