CVE-2020-15121

Name of the Vulnerable Software and Affected Versions radare2 versions prior to 4.5.0

Description The issue arises from malformed PDB file names in the PDB server path, leading to shell injection. This can be triggered by opening an executable in radare2 and running idpd, which initiates the download. As a result, shell code executes and creates a file named 'pwned' in the current directory.

Recommendations For versions prior to 4.5.0, update to version 4.5.0 or later to resolve the issue. As a temporary workaround, consider avoiding the use of idpd until a patch is applied. Restrict access to potentially malicious PDB files to minimize the risk of exploitation.