CVE-2024-25082 — Command Injection in Fontforge

CWE-77 — Command Injection CWE-78 — OS Command Injection8 documents7 sources

Severity

6.5MEDIUMNVD

OSV4.2

EPSS

0.9%

top 24.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fontforge Debian Linux Fedoraproject Fedora

Timeline

PublishedFeb 26

Latest updateJun 27

Description

Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages3 packages

▶Debianfontforge/fontforge< 1:20201107~dfsg-4+deb11u1+3

▶Ubuntufontforge/fontforge< 1:20190801~dfsg-4ubuntu0.1+3

▶NVDfontforge/fontforge20230101

Also affects: Debian Linux 10.0, Fedora 40

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

fontforge vulnerabilities↗2024-06-27

▶

GHSA

GHSA-2j3h-j2q3-wxp3: Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files↗2024-02-26

▶

CVEList

CVE-2024-25082: Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files↗2024-02-26

▶

OSV

CVE-2024-25082: Splinefont in FontForge through 20230101 allows command injection via crafted archives or compressed files↗2024-02-26

▶

📋Vendor Advisories

Ubuntu

FontForge vulnerabilities↗2024-06-27

▶

Red Hat

fontforge: command injection via crafted archives or compressed files↗2024-02-26

▶

Debian

CVE-2024-25082: fontforge - Splinefont in FontForge through 20230101 allows command injection via crafted ar...↗2024

▶