CVE-2017-15108

Published: Jan 20, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.

Vendor	Product	Versions
Red Hat, Inc.	spice-vdagent	affected `up to and including 0.17.0`

Weaknesses (CWE)

CWE-78

References

GLSA-201804-09

vendor-advisory

x_refsource_GENTOO

https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61

x_refsource_CONFIRM

[debian-lts-announce] 20210113 [SECURITY] [DLA 2524-1] spice-vdagent security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2017-15108

Description

Affected Products

Weaknesses (CWE)

References