cbcvebase.
CVE-2023-52076
published 2024-01-25

CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists…

PriorityP277high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.02%
58.9th percentile
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianatril< atril 1.26.0-2+deb12u3 (bookworm)atril 1.26.0-2+deb12u3 (bookworm)
mate-desktopatril< 1.26.21.26.2
mate-desktopatril>= 0 < 1.24.0-1+deb11u11.24.0-1+deb11u1
mate-desktopatril>= 0 < 1.26.0-2+deb12u31.26.0-2+deb12u3
mate-desktopatril>= 0 < 1.26.2-11.26.2-1
mate-desktopatril>= 0 < 1.26.2-11.26.2-1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered by opening a specially crafted EPUB file in Atril Document Viewer; monitor for suspicious EPUB file opens in Atril, especially those resulting in unexpected file creation outside normal document directories.
  • The attack vector is a path traversal in Atril's EPUB handling, allowing arbitrary file writes to any location accessible by the user; detect unexpected file creation events (e.g., via inotify/auditd) spawned from the atril process.
  • The vulnerability cannot overwrite existing files but can be used to achieve Remote Code Execution (e.g., by writing new files such as cron jobs, autostart entries, or shell scripts); monitor for new file creation in sensitive directories (e.g., ~/.config/autostart/, /etc/cron.d/, ~/.bashrc) by the atril process.
  • ·Vulnerability only affects Atril versions prior to 1.26.2; patched versions include Atril 1.26.2-1 (sid/trixie/forky), 1.26.0-2+deb12u3 (Debian bookworm), and 1.24.0-1+deb11u1 (Debian bullseye). Ensure deployed version is at or above these thresholds.
  • ·Exploitation requires local user interaction — the target user must open a crafted document. The attack scope is local, limiting remote exploitation to social engineering delivery of a malicious EPUB file.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck8.5HIGH
vendor_debian8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.