PT-2018-3461 · Freedesktop.Org+3 · Xdg-Utils+3

Gabriel Corona

Published

2018-05-10

Updated

2024-06-15

CVE-2017-18266

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: xdg-utils versions prior to 1.1.3

Description: The issue is related to the open envvar function in xdg-open, which does not properly validate strings before launching the program specified by the BROWSER environment variable. This could allow remote attackers to conduct argument-injection attacks via a crafted URL. For example, using %s in the BROWSER environment variable could lead to such an attack. The vulnerability might also allow a remote attacker to gain unauthorized access to information and disrupt its integrity and availability.

Recommendations: For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider validating the strings passed to the open envvar function or restricting the use of the BROWSER environment variable to minimize the risk of exploitation.

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

ALT-PU-2018-1958

BDU:2020-01814

CVE-2017-18266

DLA-1384-1

DSA-4211-1

MGASA-2018-0289

OPENSUSE-SU-2018_1596-1

OPENSUSE-SU-2024:11518-1

SUSE-SU-2018:1497-1

SUSE-SU-2018_1497-1

USN-3650-1

Affected Products

Alt Linux

Suse

Ubuntu

Xdg-Utils

PT-2018-3461 · Freedesktop.Org+3 · Xdg-Utils+3

CVE-2017-18266

Weakness Enumeration

Related Identifiers

Affected Products

References · 41