CVE-2017-17513
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
TeX Live hasta la versión 20170524 no valida cadenas antes de iniciar el programa especificado por la variable de entorno BROWSER. Esto podría permitir que atacantes remotos lleven a cabo ataques de inyección de argumentos mediante una URL manipulada. Esto se relaciona con linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua y texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-11 CVE Reserved
- 2017-12-14 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-26 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
References (1)
URL | Tag | Source |
---|---|---|
https://security-tracker.debian.org/tracker/CVE-2017-17513 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Tug Search vendor "Tug" | Tex Live Search vendor "Tug" for product "Tex Live" | <= 20170524 Search vendor "Tug" for product "Tex Live" and version " <= 20170524" | - |
Affected
|