PT-2017-14838 · Scummvm Team+1 · Scummvm+1

Published

2017-12-14

Updated

2024-06-15

CVE-2017-17528

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions ScummVM version 1.9.0

Description The issue concerns the failure to validate strings before launching a program specified by the BROWSER environment variable. This could allow remote attackers to conduct argument-injection attacks via a crafted URL.

Recommendations For ScummVM version 1.9.0, consider disabling the use of the BROWSER environment variable until a patch is available to prevent potential argument-injection attacks. Restrict access to the posix.cpp file to minimize the risk of exploitation. Avoid using the BROWSER environment variable in the affected posix.cpp file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2017-17528

MGASA-2018-0278

OPENSUSE-SU-2024:11375-1

Affected Products

Debian

Scummvm

PT-2017-14838 · Scummvm Team+1 · Scummvm+1

CVE-2017-17528

Weakness Enumeration

Related Identifiers

Affected Products

References · 15