CVE-2018-3836 — OS Command Injection in Leptonica
Severity
9.8CRITICALNVD
NVD7.8OSV7.8OSV7.0OSV3.3
EPSS
0.1%
top 67.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 24
Latest updateMay 13
Description
An exploitable command injection vulnerability exists in the gplotMakeOutput function of Leptonica 1.74.4. A specially crafted gplot rootname argument can cause a command injection resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this vulnerability.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages2 packages
Also affects: Debian Linux 7.0
🔴Vulnerability Details
6📋Vendor Advisories
3💬Community
9Bugzilla▶
CVE-2018-7440 leptonica: gplotMakeOutput command injection (CVE-2018-3836 incomplete fix)↗2018-02-27
Bugzilla▶
CVE-2018-7440 leptonica: gplotMakeOutput command injection (CVE-2018-3836 incomplete fix) [epel-all]↗2018-02-27
Bugzilla▶
CVE-2018-7440 mingw-leptonica: leptonica: gplotMakeOutput command injection (CVE-2018-3836 incomplete fix) [fedora-all]↗2018-02-27
Bugzilla▶
CVE-2018-7440 leptonica: gplotMakeOutput command injection (CVE-2018-3836 incomplete fix) [fedora-all]↗2018-02-27