SB2024012483 - Multiple vulnerabilities in MATE desktop Atril
Published: January 24, 2024 Updated: March 12, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2023-51698)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation when handling CBT documents. A remote attacker can trick the victim to open a specially crafted document and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Path traversal (CVE-ID: CVE-2023-52076)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim to open a specially crafted document and overwrite arbitrary files on the system.
Remediation
Install update from vendor's website.
References
- https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
- https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
- https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
- https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
- https://github.com/mate-desktop/atril/releases/tag/v1.26.2