CVE-2021-45845 — OS Command Injection in Freecad

CWE-78 — OS Command Injection4 documents4 sources

Severity

7.8HIGHNVD

EPSS

1.5%

top 18.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freecadweb Freecad Debian Freecad Debian Linux

Timeline

PublishedJan 25

Latest updateJan 26

Description

The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injection, allowing an attacker to execute arbitrary commands via a crafted FCStd document.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages3 packages

▶debiandebian/freecad< freecad 0.19.4+dfsg1-1 (bookworm)

▶Debianfreecadweb/freecad< 0.19.1+dfsg1-2+deb11u1+3

▶NVDfreecadweb/freecad0.19

Also affects: Debian Linux 11.0

Patches

Patch: github.com ↗Patch: tracker.freecad.org ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-pp7p-q5v7-3cr2: The Path Sanity Check script of FreeCAD 0↗2022-01-26

▶

OSV

CVE-2021-45845: The Path Sanity Check script of FreeCAD 0↗2022-01-25

▶

📋Vendor Advisories

Debian

CVE-2021-45845: freecad - The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injecti...↗2021

▶