CVE-2018-6353

27.01.2018, 15:29

The Python console in Electrum through 2.9.4 and 3.x through 3.0.5 supports arbitrary Python code without considering (1) social-engineering attacks in which a user pastes code that they do not understand and (2) code pasted by a physically proximate attacker at an unattended workstation, which makes it easier for attackers to steal Bitcoin via hook code that runs at a later time when the wallet password has been entered, a different vulnerability than CVE-2018-1000022.

OS Command Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitre	CNA	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
electrum	electrum	𝑥 ≤ 2.9.4
electrum	electrum	3.0.0
electrum	electrum	3.0.1
electrum	electrum	3.0.2
electrum	electrum	3.0.3
electrum	electrum	3.0.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

electrum

bullseye	4.0.9-1 fixed
bookworm	4.3.4+dfsg1-1+deb12u1 fixed
trixie	4.5.8+ds-1 fixed
sid	4.5.8+ds-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

electrum

disco	dne
cosmic	dne
bionic	dne
artful	dne
xenial	dne
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

https://github.com/spesmilo/electrum/issues/3678

https://github.com/spesmilo/electrum/pull/3700

https://github.com/spesmilo/electrum/issues/3678

https://github.com/spesmilo/electrum/pull/3700