CVE-2023-7093

Name of the Vulnerable Software and Affected Versions KylinSoft kylin-system-updater versions up to 2.0.5.16-0k2.33

Description A critical vulnerability has been found in the KylinSoft kylin-system-updater. The issue is related to the manipulation of the SetDownloadspeedMax argument, which leads to os command injection. This can be exploited locally. The exploit has been disclosed to the public.

Recommendations For KylinSoft kylin-system-updater versions up to 2.0.5.16-0k2.33, as a temporary workaround, consider restricting access to the SetDownloadspeedMax argument in the /usr/share/kylin-system-updater/SystemUpdater/UpgradeStrategiesDbus.py file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.