CVE-2022-4170 — Injection in Rxvt-unicode

CWE-74 — Injection4 documents4 sources

Severity

9.8CRITICALNVD

EPSS

3.2%

top 13.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rxvt-unicode Project Rxvt-unicode Debian Rxvt-unicode Fedoraproject Extra Packages FOR Enterprise Linux +1 more

Timeline

PublishedDec 9

Description

The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶debiandebian/rxvt-unicode< rxvt-unicode 9.31-1 (forky)

▶Debianrxvt-unicode_project/rxvt-unicode< 9.31-1+1

▶CVEListV5rxvt-unicode_project/rxvt-unicoderxvt-unicode 9.30

▶NVDrxvt-unicode_project/rxvt-unicode9.25, 9.26+1

▶NVDfedoraproject/extra_packages8.0

Also affects: Fedora 37

🔴Vulnerability Details

GHSA

GHSA-v3h7-vj8g-6x3r: The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to↗2022-12-09

▶

OSV

CVE-2022-4170: The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to↗2022-12-09

▶

📋Vendor Advisories

Debian

CVE-2022-4170: rxvt-unicode - The rxvt-unicode package is vulnerable to a remote code execution, in the Perl b...↗2022

▶