CVE-2017-12904

Published Aug 23, 2017

Last updated 21 days ago

CVSS high 8.8

Overview

Description: Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
Source: cve@mitre.org
NVD status: Deferred

Risk scores

CVSS 3.0

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 9.3
Impact score: 10
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-943

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "684B7199-9344-4DBA-90AD-DEDEC056F213"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "45CD698E-70A1-43A0-B828-3DBD519DDDF9"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "379E21B5-D427-45EC-B674-9BCC8A47CA76"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EB0B1B93-8E8C-4A77-98F8-CE5BFED550DF"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1C907407-E178-43BF-A433-9BC73EB7FD5F"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DB3A20C1-1FB7-43C8-A78E-FBEBB4E888AF"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:1.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A3F963DE-447B-4D6C-A508-C4449C67F1C8"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:1.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B7BAF663-30D1-4584-A0B0-CF02D2646877"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:1.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "50AD4B86-FED2-4469-BBD7-B698A7C1B4AE"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:1.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "62E8E19D-024A-4F73-B66F-87741325BC35"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5A34C699-1E62-4A54-B929-0C187299ABD8"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F5E5E120-42BD-4846-9C6B-D51804C902A1"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BFC168D9-75AB-43DD-A1F6-103F14AD9995"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9FA4C1C6-33AD-420C-ABA3-F7254A51BDDC"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.4:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "2EC3FE66-8689-4F61-9035-00DAD02A1527"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.5:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0FADF671-B5B0-4634-AA18-15551363293B"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8E8DC0AC-DA20-4A93-9561-C2D906D0D1CD"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.7:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DD6A06A3-2A06-4DDC-851A-6B27B7BB7F24"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.8:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A5CDB422-35D4-42E5-A897-3C12C6E16E51"
          },
          {
            "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:2.9:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "8ECF398D-94EA-4628-99A2-35B698579B96"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"
          },
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References