Henryk Plötz

**Name of the Vulnerable Software and Affected Versions** BlueZ versions 2.16 through 2.18 bluez-pcmcia-support (affected versions not specified) bluez-bcm203x (affected versions not specified) bluez-cups (affected versions not specified) bluez-utils (affected versions not specified) **Description** The issue concerns multiple vulnerabilities in the BlueZ package of the Debian GNU/Linux operating system, which can lead to breaches of confidentiality, integrity, and availability of protected information. These vulnerabilities can be exploited remotely. Specifically, in versions 2.16, 2.17, and 2.18 of BlueZ, the `security.c` file in `hcid` allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper. **Recommendations** For BlueZ versions 2.16 through 2.18, consider updating to a version that contains a fix for this issue. For bluez-pcmcia-support, bluez-bcm203x, bluez-cups, and bluez-utils, at the moment, there is no information about a newer version that contains a fix for this vulnerability.