Vulnerability Name:

CVE-2008-0386 (CCN-40126)

Assigned:2008-01-21
Published:2008-01-21
Updated:2011-03-08
Summary:Xdg-utils 1.0.2 and earlier allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in a URL argument to (1) xdg-open or (2) xdg-email.
CVSS v3 Severity:5.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
5.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: CONFIRM
Type: Exploit
http://bugs.gentoo.org/show_bug.cgi?id=207331

Source: MITRE
Type: CNA
CVE-2008-0386

Source: SUSE
Type: UNKNOWN
SUSE-SR:2008:004

Source: CCN
Type: SA28638
Xdg-utils Command Injection Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
28638

Source: CCN
Type: SA28728
Gentoo update for xdg-utils

Source: SECUNIA
Type: Vendor Advisory
28728

Source: SECUNIA
Type: UNKNOWN
29048

Source: GENTOO
Type: UNKNOWN
GLSA-200801-21

Source: CCN
Type: SECTRACK ID: 1019284
Xdg-Utils Input Validation Flaws Let Remote Users Execute Arbitrary Commands

Source: CONFIRM
Type: Exploit
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?r1=1.24&r2=1.25

Source: CONFIRM
Type: Exploit
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email.in?view=log

Source: CONFIRM
Type: Exploit
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-email?r1=1.36&r2=1.37

Source: CONFIRM
Type: Exploit
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open.in?r1=1.17&r2=1.18

Source: CONFIRM
Type: Exploit
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?r1=1.32&r2=1.33

Source: CONFIRM
Type: UNKNOWN
http://webcvs.freedesktop.org/portland/portland/xdg-utils/scripts/xdg-open?view=log

Source: CCN
Type: GLSA-200801-21
Xdg-Utils: Arbitrary command execution

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2008:031

Source: CCN
Type: OSVDB ID: 42838
Xdg-utils xdg-open URL Argument Arbitrary Command Execution

Source: CCN
Type: OSVDB ID: 42839
Xdg-utils xdg-email URL Argument Arbitrary Command Execution

Source: BID
Type: UNKNOWN
27528

Source: CCN
Type: BID-27528
xdg-utils 'xdg-open' and 'xdg-email' Multiple Remote Command Execution Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1019284

Source: VUPEN
Type: UNKNOWN
ADV-2008-0342

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=429513

Source: CCN
Type: Red Hat Bugzilla Bug 429513
CVE-2008-0386 xdg-open allows to execute arbitrary commands

Source: XF
Type: UNKNOWN
xdgutils-xgdopen-xdgemail-command-execution(40126)

Source: SUSE
Type: SUSE-SR:2008:004
SUSE Security Summary Report

Vulnerable Configuration:Configuration 1:
  • cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:x86-64:*:*:*:*:*
  • AND
  • cpe:/a:gentoo:xdg-utils:*:*:*:*:*:*:*:* (Version <= 1.0.2)

    • Configuration CCN 1:
  • cpe:/a:gentoo:xdg-utils:1.0.2:*:*:*:*:*:*:*
  • AND
  • cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2008.0:*:*:*:*:*:*:*
  • OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20080386
    V
    		CVE-2008-0386
    2022-06-30
    oval:org.opensuse.security:def:113589
    P
    		xdg-utils-1.1.3+20201113-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:26217
    P
    		Security update for java-1_7_1-ibm (Moderate) (in QA)
    2022-01-04
    oval:org.opensuse.security:def:31336
    P
    		Security update for chrony (Moderate)
    2021-12-22
    oval:org.opensuse.security:def:26184
    P
    		Security update for log4j (Important)
    2021-12-17
    oval:org.opensuse.security:def:32246
    P
    		Security update for xorg-x11-server (Important)
    2021-12-14
    oval:org.opensuse.security:def:31321
    P
    		Security update for glib-networking (Important)
    2021-12-13
    oval:org.opensuse.security:def:42249
    P
    		Security update for python3 (Moderate)
    2021-12-13
    oval:org.opensuse.security:def:31310
    P
    		Security update for webkit2gtk3 (Important)
    2021-11-23
    oval:org.opensuse.security:def:31309
    P
    		Security update for postgresql10 (Important)
    2021-11-22
    oval:org.opensuse.security:def:26168
    P
    		Security update for the Linux Kernel (Important)
    2021-11-19
    oval:org.opensuse.security:def:26160
    P
    		Security update for binutils (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:33021
    P
    		Security update for libqt5-qtsvg (Moderate)
    2021-10-11
    oval:org.opensuse.security:def:106975
    P
    		xdg-utils-1.1.3+20201113-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:32190
    P
    		Security update for the Linux Kernel (Live Patch 38 for SLE 12 SP3) (Important)
    2021-09-23
    oval:org.opensuse.security:def:26124
    P
    		Security update for openssl-1_1 (Low)
    2021-09-09
    oval:org.opensuse.security:def:31676
    P
    		Security update for openexr (Important)
    2021-09-02
    oval:org.opensuse.security:def:26110
    P
    		Security update for aspell (Important)
    2021-08-25
    oval:org.opensuse.security:def:32982
    P
    		Security update for java-1_8_0-openjdk (Important)
    2021-08-20
    oval:org.opensuse.security:def:32159
    P
    		Security update for webkit2gtk3 (Important)
    2021-08-03
    oval:org.opensuse.security:def:32134
    P
    		Security update for openexr (Important)
    2021-06-24
    oval:org.opensuse.security:def:32129
    P
    		Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)
    2021-06-18
    oval:org.opensuse.security:def:26079
    P
    		Security update for gupnp (Important)
    2021-06-18
    oval:org.opensuse.security:def:31204
    P
    		Security update for xterm (Important)
    2021-06-18
    oval:org.opensuse.security:def:26071
    P
    		Security update for the Linux Kernel (Important)
    2021-06-09
    oval:org.opensuse.security:def:36326
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:42733
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:32102
    P
    		Security update for polkit (Important)
    2021-06-03
    oval:org.opensuse.security:def:31619
    P
    		Security update for python3 (Important)
    2021-05-17
    oval:org.opensuse.security:def:32085
    P
    		Security update for tomcat (Important)
    2021-04-29
    oval:org.opensuse.security:def:31610
    P
    		Security update for MozillaFirefox (Important)
    2021-04-27
    oval:org.opensuse.security:def:26033
    P
    		Security update for ImageMagick (Moderate)
    2021-04-20
    oval:org.opensuse.security:def:32063
    P
    		Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-04-07
    oval:org.opensuse.security:def:42057
    P
    		Security update for MozillaFirefox (Important)
    2021-04-01
    oval:org.opensuse.security:def:32278
    P
    		Security update for the Linux Kernel (Live Patch 34 for SLE 12 SP3) (Important)
    2021-03-17
    oval:org.opensuse.security:def:31742
    P
    		Security update for git (Important)
    2021-03-09
    oval:org.opensuse.security:def:31728
    P
    		Security update for jasper (Important)
    2021-02-16
    oval:org.opensuse.security:def:32239
    P
    		Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-02-10
    oval:org.opensuse.security:def:31572
    P
    		Security update for xen (Moderate)
    2020-12-29
    oval:org.opensuse.security:def:25977
    P
    		Security update for openssl-1_1 (Important)
    2020-12-10
    oval:org.opensuse.security:def:32010
    P
    		Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP3) (Important)
    2020-12-07
    oval:org.opensuse.security:def:35842
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:36058
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:42465
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:25969
    P
    		Security update for xen (Important)
    2020-12-03
    oval:org.opensuse.security:def:35650
    P
    		xdg-utils-1.0.2-36.18 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:31130
    P
    		Security update for kvm (Important)
    2020-12-01
    oval:org.opensuse.security:def:31485
    P
    		Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:31833
    P
    		Security update for bind (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32576
    P
    		mailman on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31975
    P
    		Security update for jasper (Important)
    2020-12-01
    oval:org.opensuse.security:def:31524
    P
    		Security update for rsync (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32300
    P
    		Security update for python (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31878
    P
    		Security update for dhcp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32546
    P
    		libadns1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33289
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25277
    P
    		Security update for git (Important)
    2020-12-01
    oval:org.opensuse.security:def:25627
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:25919
    P
    		Security update for libplist (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26650
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25404
    P
    		Security update for spice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25734
    P
    		Security update for python3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26806
    P
    		perl-libwww-perl on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25608
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25892
    P
    		Security update for gstreamer-0_10-plugins-good (Important)
    2020-12-01
    oval:org.opensuse.security:def:26237
    P
    		Security update for mariadb-100 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26383
    P
    		Security update for Mozilla Thunderbird (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25875
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:26452
    P
    		Security update for phpMyAdmin (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26607
    P
    		libvorbis on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31872
    P
    		Security update for curl (Important)
    2020-12-01
    oval:org.opensuse.security:def:32615
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32024
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:32767
    P
    		pcsc-lite on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31525
    P
    		Security update for rsyslog
    2020-12-01
    oval:org.opensuse.security:def:31834
    P
    		Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:32344
    P
    		Security update for spice (Important)
    2020-12-01
    oval:org.opensuse.security:def:31792
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:32402
    P
    		Security update for vim (Important)
    2020-12-01
    oval:org.opensuse.security:def:32568
    P
    		libsnmp15-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25201
    P
    		Security update for java-1_8_0-openjdk (Important)
    2020-12-01
    oval:org.opensuse.security:def:25405
    P
    		Security update for spice-gtk (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25778
    P
    		Security update for mariadb (Important)
    2020-12-01
    oval:org.opensuse.security:def:25933
    P
    		Security update for gstreamer-0_10-plugins-good (Important)
    2020-12-01
    oval:org.opensuse.security:def:25468
    P
    		Security update for libarchive (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25818
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:26841
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25619
    P
    		Security update for libmspack (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25949
    P
    		Security update for icu (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26286
    P
    		Security update for libcdio (Low)
    2020-12-01
    oval:org.opensuse.security:def:27021
    P
    		pyxml on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25876
    P
    		Security update for libssh (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26505
    P
    		Security update for phpMyAdmin (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26651
    P
    		xen on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31118
    P
    		Security update for krb5 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31894
    P
    		Security update for fetchmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31395
    P
    		Security update for perl
    2020-12-01
    oval:org.opensuse.security:def:31763
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:32806
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31536
    P
    		Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31891
    P
    		Security update for expat (Important)
    2020-12-01
    oval:org.opensuse.security:def:31793
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:32458
    P
    		Security update for xorg-x11-libX11 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32612
    P
    		w3m on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25202
    P
    		Security update for libgxps (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25486
    P
    		Security update for openssl-1_1 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25831
    P
    		Security update for flash-player (Important)
    2020-12-01
    oval:org.opensuse.security:def:25392
    P
    		Security update for samba (Important)
    2020-12-01
    oval:org.opensuse.security:def:25596
    P
    		Security update for xorg-x11-server (Important)
    2020-12-01
    oval:org.opensuse.security:def:25683
    P
    		Security update for ucode-intel (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26325
    P
    		Security update for Chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:27056
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25887
    P
    		Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:26554
    P
    		ghostscript-fonts-other on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27289
    P
    		sendmail on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31119
    P
    		Security update for krb5
    2020-12-01
    oval:org.opensuse.security:def:31428
    P
    		Security update for php53 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31784
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:31938
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:31527
    P
    		Security update for Ruby
    2020-12-01
    oval:org.opensuse.security:def:31919
    P
    		Security update for ghostscript-library (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31978
    P
    		Security update for java-1_7_1-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:31804
    P
    		Security update for ant (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32507
    P
    		evolution-data-server on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33250
    P
    		rsync on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25213
    P
    		Security update for ntp (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25543
    P
    		Security update for libgxps (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25880
    P
    		Security update for libvirt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26615
    P
    		mozilla-xulrunner191 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25393
    P
    		Security update for libqt5-qtbase (Important)
    2020-12-01
    oval:org.opensuse.security:def:25677
    P
    		Security update for raptor (Important)
    2020-12-01
    oval:org.opensuse.security:def:26022
    P
    		Security update for icu (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:25607
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:25811
    P
    		Security update for libvirt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26339
    P
    		Security update for openjpeg2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:25951
    P
    		Security update for pcsc-lite (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26301
    P
    		Security update for gd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26593
    P
    		libnetpbm10 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27324
    P
    		xdg-utils on GA media (Moderate)
    2020-12-01
    BACK
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2008.0
    gentoo xdg-utils *
    gentoo xdg-utils 1.0.2
    gentoo linux *
    mandrakesoft mandrake linux 2007.1
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2008.0
    mandrakesoft mandrake linux 2007.1