CVE-2023-52076

25.01.2024, 16:15

Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. A path traversal and arbitrary file write vulnerability exists in versions of Atril prior to 1.26.2. This vulnerability is capable of writing arbitrary files anywhere on the filesystem to which the user opening a crafted document has access. The only limitation is that this vulnerability cannot be exploited to overwrite existing files, but that doesn't stop an attacker from achieving Remote Command Execution on the target system. Version 1.26.2 of Atril contains a patch for this vulnerability.

Path Traversal

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.5 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
GitHub_M	CNA	8.5 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 92%

Vendor	Product	Version
mate-desktop	atril	𝑥 < 1.26.2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

atril

bullseye (security)	1.24.0-1+deb11u1 fixed
bullseye	1.24.0-1+deb11u1 fixed
bookworm	1.26.0-2+deb12u3 fixed
bookworm (security)	1.26.0-2+deb12u3 fixed
sid	1.26.2-3 fixed

Ubuntu Releases

Ubuntu Product

Codename

atril

noble	not-affected
mantic	Fixed 1.26.0-2ubuntu0.1 released
jammy	Fixed 1.26.0-1ubuntu1.1 released
focal	Fixed 1.24.0-1ubuntu0.1 released
bionic	Fixed 1.20.1-2ubuntu2+esm1 released
xenial	Fixed 1.12.2-1ubuntu0.3+esm1 released
trusty	dne

Known Exploits!

Common Weakness Enumeration

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References

https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50

https://github.com/mate-desktop/atril/releases/tag/v1.26.2

https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37

https://lists.debian.org/debian-lts-announce/2024/06/msg00003.html

https://github.com/mate-desktop/atril/commit/e70b21c815418a1e6ebedf6d8d31b8477c03ba50

https://github.com/mate-desktop/atril/releases/tag/v1.26.2

https://github.com/mate-desktop/atril/security/advisories/GHSA-6mf6-mxpc-jc37

https://lists.debian.org/debian-lts-announce/2024/06/msg00003.html