PT-2018-16230 · Leptonica+2 · Leptonica+2

Published

2018-02-12

Updated

2024-06-15

CVE-2018-3836

CVSS v3.1

7.8

High

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Leptonica version 1.74.4

Description An exploitable command injection issue exists in the gplotMakeOutput function. A specially crafted gplot rootname argument can cause a command injection, resulting in arbitrary code execution. An attacker can provide a malicious path as input to an application that passes attacker data to this function to trigger this issue.

Recommendations For Leptonica version 1.74.4, consider restricting the input to the gplotMakeOutput function to prevent malicious paths from being injected, until a patch is available. As a temporary workaround, validate and sanitize all user-provided input to this function to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-3836

DLA-1284-1

MGASA-2018-0154

MGASA-2018-0279

OPENSUSE-SU-2018_0429-1

OPENSUSE-SU-2024:10914-1

USN-4819-1

Affected Products

Leptonica

Suse

Ubuntu

PT-2018-16230 · Leptonica+2 · Leptonica+2

CVE-2018-3836

Weakness Enumeration

Related Identifiers

Affected Products

References · 37