CVE-2021-45844OS Command Injection in Freecad

CWE-78OS Command Injection4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.3%
top 43.15%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Freecadweb FreecadDebian FreecadDebian Linux
Timeline
PublishedJan 25
Latest updateJan 26

Description

Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

debiandebian/freecad< freecad 0.19.4+dfsg1-1 (bookworm)
Debianfreecadweb/freecad< 0.19.1+dfsg1-2+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0

Patches

Patch: forum.freecadweb.orgPatch: tracker.freecad.orgPatch: forum.freecadweb.org

🔴Vulnerability Details

2
GHSA
GHSA-344m-62pc-2wvw: Improper sanitization in the invocation of ODA File Converter from FreeCAD 02022-01-26
OSV
CVE-2021-45844: Improper sanitization in the invocation of ODA File Converter from FreeCAD 02022-01-25

📋Vendor Advisories

1
Debian
CVE-2021-45844: freecad - Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 ...2021