#VU39365 OS Command Injection in Fedora - CVE-2017-5330


| Updated: 2020-08-08

Vulnerability identifier: #VU39365

Vulnerability risk: High

CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2017-5330

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Fedora
Operating systems & Components / Operating system

Vendor: Fedoraproject

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Fedora: 25

External links
https://www.openwall.com/lists/oss-security/2017/01/10/2
https://www.securityfocus.com/bid/95349
https://bugs.kde.org/show_bug.cgi?id=374572
https://cgit.kde.org/ark.git/commit/?id=82fdfd24d46966a117fa625b68784735a40f9065
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NIMZUCG6IQR5S65IVQOXQFQV7TMVSYAT/
https://security.gentoo.org/glsa/201701-69

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OS Command Injection in Fedoraproject Fedora
Gentoo update for Ark
Arch Linux update for ark
Fedora 25 update for ark