Code Injection in Debian Linux
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-3153 |
| CWE-ID | CWE-94 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system SPIP Web applications / CMS |
| Vendor |
Debian spip.net |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Code Injection
EUVDB-ID: #VU40407
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3153
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.
MitigationInstall update from vendor's website.
Vulnerable software versionsDebian Linux: 7.0 - 8.0
SPIP: 2.0.0 - 8.0
External linkshttp://www.debian.org/security/2016/dsa-3518
http://blog.spip.net/Mise-a-jour-CRITIQUE-de-securite-Sortie-de-SPIP-3-1-1-SPIP-3-0-22-et-SPIP-2-1.html?lang=fr
http://core.spip.net/projects/spip/repository/revisions/22911
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
