OS Command Injection in newsbeuter (Alpine package)

1) OS Command Injection

EUVDB-ID: #VU33050

Risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-14500

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.

Mitigation

Install update from vendor's website.

Vulnerable software versions

newsbeuter (Alpine package): 2.9-r3 - 2.9-r6

CPE2.3

• cpe:2.3:a:alpine:newsbeuter_alpine_package:2.9-r3:*:*:*:*:alpine_linux:*:3.2
• cpe:2.3:a:alpine:newsbeuter_alpine_package:2.9-r4:*:*:*:*:alpine_linux:*:3.2
• cpe:2.3:a:alpine:newsbeuter_alpine_package:2.9-r6:*:*:*:*:alpine_linux:*:3.7

External links

https://git.alpinelinux.org/aports/commit/?id=81a34954325f445f6264a1e6ef1015c9bbf41c28
https://git.alpinelinux.org/aports/commit/?id=6aea3418b22c37d1f94d4739b4cfe47da9dc31a9
https://git.alpinelinux.org/aports/commit/?id=8a8d97d5fa4aac9a893f2e1e60e56f89bf5e8868
https://git.alpinelinux.org/aports/commit/?id=ba1d5a943f3855aef29e87de310cab78ca9f6d5c
https://git.alpinelinux.org/aports/commit/?id=1d693bb50fd04cbc49ecda1b0c0e895ac9633025

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.