#VU87347 Path traversal in atril - CVE-2023-52076

Cybersecurity Help s.r.o.

Published: 2024-03-12

Vulnerability identifier: #VU87347

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-52076

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
atril
Client/Desktop applications / Office applications

Vendor: MATE Desktop

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim to open a specially crafted document and overwrite arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

atril: 1.10.0 - 1.27.0

External links
https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37
https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50
https://github.com/mate-desktop/atril/releases/tag/v1.26.2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Debian update for atril

Ubuntu update for atril

openEuler 20.03 LTS SP1 update for atril

openEuler 20.03 LTS SP4 update for atril

openEuler 22.03 LTS SP2 update for atril

openEuler 22.03 LTS SP1 update for atril

openEuler 22.03 LTS update for atril

openEuler 22.03 LTS SP3 update for atril

Multiple vulnerabilities in MATE desktop Atril