Main Vulnerability Database SB2017112218

SB2017112218 - OS Command Injection in korsakov ohcount

Published: November 22, 2017 Updated: August 8, 2020

Security Bulletin ID SB2017112218

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2017-16926)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Ohcount 3.0.0 is prone to a command injection via specially crafted filenames containing shell metacharacters, which can be exploited by an attacker (providing a source tree for Ohcount processing) to execute arbitrary code as the user running Ohcount.

Remediation

Install update from vendor's website.

References

https://bugs.debian.org/882372