CVE-2023-51698 — OS Command Injection in Atril

CWE-78 — OS Command Injection6 documents5 sources

Severity

8.8HIGHNVD

CNA9.6

EPSS

2.0%

top 16.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Evince Mate-desktop Atril

Timeline

PublishedJan 12

Latest updateFeb 18

Description

Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Debianmate-desktop/atril< 1.24.0-1+deb11u1+3

▶CVEListV5mate-desktop/atril1.26.3

▶NVDmate-desktop/atril1.26.3

▶Debiangnome/evince< 3.25.92-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

atril vulnerabilities↗2025-02-18

▶

CVEList

Atril's CBT comic book parsing vulnerable to Remote Code Execution↗2024-01-12

▶

OSV

CVE-2023-51698: Atril is a simple multi-page document viewer↗2024-01-12

▶

📋Vendor Advisories

Ubuntu

Atril vulnerabilities↗2025-02-18

▶

Debian

CVE-2023-51698: atril - Atril is a simple multi-page document viewer. Atril is vulnerable to a critical ...↗2023

▶