CVE-2017-17522

Name of the Vulnerable Software and Affected Versions Python versions through 3.6.3

Description The issue is related to insufficient neutralization of special elements in a request, which may allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The problem lies in the Lib/webbrowser.py component of the Python interpreter, where strings are not properly validated before launching a program specified by the BROWSER environment variable. This could potentially allow remote attackers to conduct argument-injection attacks via a crafted URL. However, a software maintainer indicates that exploitation is impossible due to the code relying on subprocess.Popen and the default shell=False setting.

Recommendations For versions through 3.6.3, consider disabling the use of the BROWSER environment variable or restricting its use to trusted sources until a patch is available. As a temporary workaround, avoid using the BROWSER environment variable in the affected Lib/webbrowser.py component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.