OS Command Injection Affecting mediawiki package, versions <1:1.31.10-1~deb10u1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
1.4% (87th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN10-MEDIAWIKI-1013168
- published 6 Aug 2020
- disclosed 11 Aug 2020
Introduced: 6 Aug 2020
CVE-2020-17368 Open this link in a new tabHow to fix?
Upgrade Debian:10 mediawiki to version 1:1.31.10-1~deb10u1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream mediawiki package and not the mediawiki package as distributed by Debian.
See How to fix? for Debian:10 relevant fixed versions and status.
Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.
References
- https://security-tracker.debian.org/tracker/CVE-2020-17368
- https://www.debian.org/security/2020/dsa-4742
- https://www.debian.org/security/2020/dsa-4743
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/
- https://security.gentoo.org/glsa/202101-02
- https://github.com/netblue30/firejail/
- https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/