OS Command Injection in Fedora - CVE-2017-5330
Published: March 27, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU39365
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-5330
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Fedoraproject
Affected software:
Fedora
Fedora
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.
How to mitigate CVE-2017-5330
Install update from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2017/01/10/2
- http://www.securityfocus.com/bid/95349
- https://bugs.kde.org/show_bug.cgi?id=374572
- https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NIMZUCG6IQR5S65IVQOXQFQV7TMVSYAT/
- https://security.gentoo.org/glsa/201701-69