Command injection in Leptonica - CVE-2018-3836
Published: February 2, 2018
Vulnerability identifier: #VU10359
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-3836
CWE-ID: CWE-77
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: DanBloomberg
Affected software:
Leptonica
Leptonica
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary commands.
The weakness exists in the gplotMakeOutput function due to insufficient validation of user-supplied input. A local attacker can submit a specially crafted gplot rootname argument, inject arbitrary commands and execute arbitrary code with system or root privileges.
Successful exploitation of the vulnerabiiity may result in system compromise.
The weakness exists in the gplotMakeOutput function due to insufficient validation of user-supplied input. A local attacker can submit a specially crafted gplot rootname argument, inject arbitrary commands and execute arbitrary code with system or root privileges.
Successful exploitation of the vulnerabiiity may result in system compromise.
How to mitigate CVE-2018-3836
Update to version 1.75.1.