OS Command Injection in newsbeuter (Alpine package)

1) OS Command Injection

EUVDB-ID: #VU33984

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-12904

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation when processing title and URL in an RSS items. A remote attacker can pass specially crafted data via RSS feed to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

newsbeuter (Alpine package): 2.9-r3 - 2.9-r6

CPE2.3

• cpe:2.3:a:alpine:newsbeuter_alpine_package:2.9-r3:*:*:*:*:alpine_linux:*:3.2
• cpe:2.3:a:alpine:newsbeuter_alpine_package:2.9-r6:*:*:*:*:alpine_linux:*:3.7

External links

https://git.alpinelinux.org/aports/commit/?id=81a34954325f445f6264a1e6ef1015c9bbf41c28
https://git.alpinelinux.org/aports/commit/?id=5bcbae5206b9426d2a2448d4f4e1b2af6ccde039
https://git.alpinelinux.org/aports/commit/?id=87767f695c4ae5a5f0f5c7b878e5a996d78fd859
https://git.alpinelinux.org/aports/commit/?id=11e04ac2e09480aaa71ff041b2ddc627a688b8d3
https://git.alpinelinux.org/aports/commit/?id=cc255661a9219783ad588a6543b506336e60306a

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.