Remote code execution in Mumble
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2021-27229 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
mumble Other software / Other software solutions |
| Vendor | mumble-voip |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU50817
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-27229
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when processing URL schemes. A remote attacker can create a specially crafted web page, trick the victim to open the web page, click on the "Open Webpage text" and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsmumble: 1.3.0 - 1.3.3
External linkshttp://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16bfd648
http://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4
http://github.com/mumble-voip/mumble/pull/4733
http://lists.debian.org/debian-lts-announce/2021/02/msg00022.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
