CVE-2023-52076
published 2024-01-25CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists…
PriorityP277high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.02%
58.9th percentile
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | atril | < atril 1.26.0-2+deb12u3 (bookworm) | atril 1.26.0-2+deb12u3 (bookworm) |
| mate-desktop | atril | < 1.26.2 | 1.26.2 |
| mate-desktop | atril | >= 0 < 1.24.0-1+deb11u1 | 1.24.0-1+deb11u1 |
| mate-desktop | atril | >= 0 < 1.26.0-2+deb12u3 | 1.26.0-2+deb12u3 |
| mate-desktop | atril | >= 0 < 1.26.2-1 | 1.26.2-1 |
| mate-desktop | atril | >= 0 < 1.26.2-1 | 1.26.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered by opening a specially crafted EPUB file in Atril Document Viewer; monitor for suspicious EPUB file opens in Atril, especially those resulting in unexpected file creation outside normal document directories. ↗
- →The attack vector is a path traversal in Atril's EPUB handling, allowing arbitrary file writes to any location accessible by the user; detect unexpected file creation events (e.g., via inotify/auditd) spawned from the atril process. ↗
- →The vulnerability cannot overwrite existing files but can be used to achieve Remote Code Execution (e.g., by writing new files such as cron jobs, autostart entries, or shell scripts); monitor for new file creation in sensitive directories (e.g., ~/.config/autostart/, /etc/cron.d/, ~/.bashrc) by the atril process. ↗
- ·Vulnerability only affects Atril versions prior to 1.26.2; patched versions include Atril 1.26.2-1 (sid/trixie/forky), 1.26.0-2+deb12u3 (Debian bookworm), and 1.24.0-1+deb11u1 (Debian bullseye). Ensure deployed version is at or above these thresholds. ↗
- ·Exploitation requires local user interaction — the target user must open a crafted document. The attack scope is local, limiting remote exploitation to social engineering delivery of a malicious EPUB file. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vulncheck8.5HIGH
vendor_debian8.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
osv·2024-01-25·CVSS 7.8
CVE-2023-52076 [HIGH] CVE-2023-52076: Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
VulnCheck
mate-desktop atril Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2023·CVSS 8.5
CVE-2023-52076 [HIGH] mate-desktop atril Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
mate-desktop atril Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
Affected: mate-desktop atril
Required Action: Apply remediations or mitigations per vendor instructions
Ubuntu
Atril vulnerability
vendor_ubuntu·2024-06-05
CVE-2023-52076 Atril vulnerability
Title: Atril vulnerability
Summary: Atril could be made to create arbitrary files when opening a specially
crafted EPUB file.
It was discovered that Atril was vulnerable to a path traversal attack.
An attacker could possibly use this vulnerability to create arbitrary
files on the host filesystem with user privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-52076: atril - Atril Document Viewer is the default document reader of the MATE desktop environ...
vendor_debian·2023·CVSS 8.5
CVE-2023-52076 [HIGH] CVE-2023-52076: atril - Atril Document Viewer is the default document reader of the MATE desktop environ...
Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.
Scope: local
bookworm: resolved (fixed in 1.26.0-2+deb12u3)
bullseye: resolved (fixed in 1.24.0-1+deb11u1)
forky: resolved (fixed in 1.26.2-1)
sid: resolved (fixed in 1.26.2-1)
trixie: resolved (fixed in 1
No detection rules found.
No public exploits indexed.
https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50https://github.com/mate-desktop/atril/releases/tag/v1.26.2https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37https://lists.debian.org/debian-lts-announce/2024/06/msg00003.htmlhttps://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50https://github.com/mate-desktop/atril/releases/tag/v1.26.2https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37https://lists.debian.org/debian-lts-announce/2024/06/msg00003.html
2024-01-25
Published
Exploited in the wild