8.8
CVE-2017-14500
- EPSS 3.08%
- Veröffentlicht 17.09.2017 05:29:00
- Zuletzt bearbeitet 13.05.2026 00:24:29
- CVE-Watchlists
- Unerledigt
Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Newsbeuter ≫ Newsbeuter Version0.3
Newsbeuter ≫ Newsbeuter Version0.4
Newsbeuter ≫ Newsbeuter Version0.5
Newsbeuter ≫ Newsbeuter Version0.6
Newsbeuter ≫ Newsbeuter Version0.7
Newsbeuter ≫ Newsbeuter Version0.8
Newsbeuter ≫ Newsbeuter Version0.8.1
Newsbeuter ≫ Newsbeuter Version0.8.2
Newsbeuter ≫ Newsbeuter Version0.9
Newsbeuter ≫ Newsbeuter Version0.9.1
Newsbeuter ≫ Newsbeuter Version1.0
Newsbeuter ≫ Newsbeuter Version1.1
Newsbeuter ≫ Newsbeuter Version1.2
Newsbeuter ≫ Newsbeuter Version1.3
Newsbeuter ≫ Newsbeuter Version2.0
Newsbeuter ≫ Newsbeuter Version2.1
Newsbeuter ≫ Newsbeuter Version2.2
Newsbeuter ≫ Newsbeuter Version2.3
Newsbeuter ≫ Newsbeuter Version2.4
Newsbeuter ≫ Newsbeuter Version2.5
Newsbeuter ≫ Newsbeuter Version2.6
Newsbeuter ≫ Newsbeuter Version2.7
Newsbeuter ≫ Newsbeuter Version2.8
Newsbeuter ≫ Newsbeuter Version2.9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.08% | 0.86 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 6.8 | 8.6 | 6.4 |
AV:N/AC:M/Au:N/C:P/I:P/A:P
|
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
https://usn.ubuntu.com/4585-1/
http://openwall.com/lists/oss-security/2017/09/16/1
http://www.debian.org/security/2017/dsa-3977
https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333
https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260
https://github.com/akrennmair/newsbeuter/issues/598