CVE-2024-25081 — Command Injection in Fontforge

CWE-77 — Command Injection CWE-78 — OS Command Injection8 documents7 sources

Severity

4.2MEDIUMNVD

EPSS

0.0%

top 88.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fontforge Debian Linux Fedoraproject Fedora

Timeline

PublishedFeb 26

Latest updateJun 27

Description

Splinefont in FontForge through 20230101 allows command injection via crafted filenames.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 0.8 | Impact: 3.4

Affected Packages3 packages

▶Debianfontforge/fontforge< 1:20201107~dfsg-4+deb11u1+3

▶Ubuntufontforge/fontforge< 1:20190801~dfsg-4ubuntu0.1+3

▶NVDfontforge/fontforge20230101

Also affects: Debian Linux 10.0, Fedora 40

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

fontforge vulnerabilities↗2024-06-27

▶

CVEList

CVE-2024-25081: Splinefont in FontForge through 20230101 allows command injection via crafted filenames↗2024-02-26

▶

GHSA

GHSA-rjx3-xwwm-jhj5: Splinefont in FontForge through 20230101 allows command injection via crafted filenames↗2024-02-26

▶

OSV

CVE-2024-25081: Splinefont in FontForge through 20230101 allows command injection via crafted filenames↗2024-02-26

▶

📋Vendor Advisories

Ubuntu

FontForge vulnerabilities↗2024-06-27

▶

Red Hat

fontforge: command injection via crafted filenames↗2024-02-26

▶

Debian

CVE-2024-25081: fontforge - Splinefont in FontForge through 20230101 allows command injection via crafted fi...↗2024

▶