Arbitrary Code Injection in sensible-utils

Do your applications use this vulnerable package? Test your applications

Overview

sensible-browser in sensible-utils before 0.0.11 does not validate strings before launching the program specified by the BROWSER environment variable, which allows remote attackers to conduct argument-injection attacks via a crafted URL, as demonstrated by a --proxy-pac-file argument.

References

Debian Bug Report
Debian Security Advisory
Debian Security Announcement
Debian Security Tracker
Ubuntu CVE Tracker
Ubuntu Security Advisory
http://metadata.ftp-master.debian.org/changelogs/main/s/sensible-utils/sensible-utils_0.0.11_changelog

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

Required
Scope

Unchanged
Confidentiality

High
Integrity

High
Availability

High

CVE: CVE-2017-17512
CWE: CWE-74
Snyk ID: SNYK-DEBIAN9-SENSIBLEUTILS-323135
Disclosed: 11 Dec, 2017
Published: 11 Dec, 2017

Arbitrary Code Injection
Affecting sensible-utils package, versions <0.0.9+deb9u1

Overview

References

CVSS Score

Arbitrary Code Injection Affecting sensible-utils package, versions <0.0.9+deb9u1

Overview

References

Arbitrary Code Injection
Affecting sensible-utils package, versions <0.0.9+deb9u1