CVE-2023-1350

A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
6.3 MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 56%
VendorProductVersion
liferea_projectliferea
𝑥
< 1.14.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
liferea
bullseye
no-dsa
buster
no-dsa
bookworm
1.14.4-3
fixed
sid
1.15.8-2
fixed
trixie
1.15.8-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
liferea
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
ignored
kinetic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
Common Weakness Enumeration
References
https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59
https://vuldb.com/?ctiid.222848
https://vuldb.com/?id.222848
https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59
https://vuldb.com/?ctiid.222848
https://vuldb.com/?id.222848