// For flags

CVE-2023-35963

Debian Security Advisory 5653-1

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple OS command injection vulnerabilities exist in the decompression functionality of GTKWave 3.3.115. A specially crafted wave file can lead to arbitrary command execution. A victim would need to open a malicious file to trigger these vulnerabilities.This vulnerability concerns decompression in the `vcd2lxt2` utility.

Existen múltiples vulnerabilidades de inyección de comandos del sistema operativo en la funcionalidad de descompresión de GTKWave 3.3.115. Un archivo wave especialmente manipulado puede provocar la ejecución de comandos arbitrarios. Una víctima necesitaría abrir un archivo malicioso para activar estas vulnerabilidades. Esta vulnerabilidad se refiere a la descompresión en la utilidad `vcd2lxt2`.

Claudio Bozzato discovered multiple security issues in gtkwave, a file waveform viewer for VCD (Value Change Dump) files, which may result in the execution of arbitrary code if malformed files are opened.

*Credits: Discovered by Claudio Bozzato of Cisco Talos.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-06-20 CVE Reserved
  • 2024-01-08 CVE Published
  • 2025-02-13 CVE Updated
  • 2025-02-13 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Tonybybell
Search vendor "Tonybybell"
 Gtkwave
Search vendor "Tonybybell" for product "Gtkwave"
 3.3.115
Search vendor "Tonybybell" for product "Gtkwave" and version "3.3.115"
-
Affected