CVE-2021-41146

EPSS 0.89%
Published 21.10.2021 18:15:10
Last modified 21.11.2024 06:25:35
Source security-advisories@github.com
Teams watchlist Login
Open Login

qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.

Affected products Warnungen 0 Metrics 3 CWE 3 References 5

Data is provided by the National Vulnerability Database (NVD)

Qutebrowser ≫ Qutebrowser Version <= 1.7.0

Qutebrowser ≫ Qutebrowser Version >= 2.0.0 < 2.4.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.89%	0.741

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P
security-advisories@github.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-641 Improper Restriction of Names for Files and Other Resources

The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430

Patch

Third Party Advisory

https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-41146

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-41146

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-41146

EUVD