CVE-2023-1350

EUVD-2023-23608
A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input |date >/tmp/bad-item-link.txt leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-222848.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
6.3 MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
Affected Products (NVD)
VendorProductVersion
liferea_projectliferea
𝑥
< 1.14.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
liferea
bookworm
1.14.4-3
fixed
bullseye
no-dsa
buster
no-dsa
sid
1.15.8-2
fixed
trixie
1.15.8-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
liferea
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
kinetic
ignored
lunar
ignored
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59
https://vuldb.com/?ctiid.222848
https://vuldb.com/?id.222848
https://github.com/lwindolf/liferea/commit/8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59
https://vuldb.com/?ctiid.222848
https://vuldb.com/?id.222848