CVE-2017-17513

TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 65%
VendorProductVersion
tugtex_live
𝑥
≤ 20170524
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
context
bullseye
unimportant
wheezy
not-affected
bullseye (security)
unimportant
bookworm
unimportant
sid
unimportant
trixie
unimportant
texlive-base
bullseye
unimportant
wheezy
not-affected
bookworm
unimportant
trixie
unimportant
sid
unimportant
texlive-bin
bullseye
unimportant
wheezy
not-affected
bullseye (security)
unimportant
bookworm
unimportant
trixie
unimportant
sid
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
context
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needs-triage
artful
ignored
zesty
ignored
xenial
needs-triage
trusty
dne
texlive-base
noble
needed
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needed
impish
ignored
hirsute
ignored
groovy
ignored
focal
needed
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needed
artful
ignored
zesty
ignored
xenial
needed
trusty
dne
texlive-bin
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
hirsute
ignored
groovy
ignored
focal
needs-triage
eoan
ignored
disco
ignored
cosmic
ignored
bionic
needs-triage
artful
ignored
zesty
ignored
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://security-tracker.debian.org/tracker/CVE-2017-17513
https://security-tracker.debian.org/tracker/CVE-2017-17513