CVE-2017-15924
https://notcve.org/view.php?id=CVE-2017-15924
In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions. En manager.c en ss-manager en shadowsocks-libev 3.1.0, un análisis sintáctico incorrecto permite que se inyecten comandos mediante metacaracteres shell en una petición de configuración JSON recibida mediante tráfico UDP 127.0.0.1. Esto está relacionado con las funciones add_server, build_config y construct_command_line. • http://openwall.com/lists/oss-security/2017/10/13/2 http://www.debian.org/security/2017/dsa-4009 https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3 https://github.com/shadowsocks/shadowsocks-libev/issues/1734 https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •