Main Vulnerability Database SB2017113053

SB2017113053 - Arch Linux update for shadowsocks-libev

Published: November 30, 2017 Updated: November 30, 2017

Security Bulletin ID SB2017113053

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2017-15924)

The vulnerability allows a local authenticated user to execute arbitrary code.

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.

Remediation

Install update from vendor's website.

References

https://security.archlinux.org/advisory/ASA-201711-40