Vulnerability CVE-2020-17368

Vulnerability Name:

CVE-2020-17368 (CCN-186823)

Assigned:

2020-08-06

Published:

2020-08-06

Updated:

2022-10-29

Summary:

Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-78

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-17368

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:1208

Source: XF
Type: UNKNOWN
firejail-cve202017368-cmd-exec(186823)

Source: MISC
Type: Third Party Advisory
https://github.com/netblue30/firejail/

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200822 [SECURITY] [DLA 2336-1] firejail security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-80a6d7e7e0

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2020-45fc8559d5

Source: GENTOO
Type: Third Party Advisory
GLSA-202101-02

Source: CCN
Type: Debian Security Advisory
DSA-4742-1 firejail -- security update

Source: DEBIAN
Type: Third Party Advisory
DSA-4742

Source: DEBIAN
Type: Third Party Advisory
DSA-4743

Vulnerable Configuration:

Configuration 1:

cpe:/a:firejail_project:firejail:*:*:*:*:*:*:*:* (Version <= 0.9.62)

Configuration 2:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:fedoraproject:fedora:31:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

Configuration 4:

cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:firejail_project:firejail:0.9.62:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202017368	V	CVE-2020-17368	2022-06-30
oval:org.opensuse.security:def:112233	P	firejail-0.9.66-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:64785	P	Security update for fetchmail (Moderate)	2021-10-20
oval:org.opensuse.security:def:105763	P	firejail-0.9.66-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:63238	P	skopeo-0.1.32-4.5.1 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:64576	P	Security update for libcroco (Moderate)	2021-09-16
oval:org.opensuse.security:def:64575	P	Security update for ghostscript (Critical)	2021-09-15
oval:org.opensuse.security:def:63028	P	openldap2-devel-32bit-2.4.46-9.51.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63032	P	perl-Config-IniFiles-2.94-1.23 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63035	P	perl-Net-Libproxy-0.4.15-12.72 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63060	P	gv-3.7.4-1.41 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:63531	P	colord-1.4.2-1.37 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:64683	P	Security update for libxml2 (Moderate)	2021-05-05
oval:org.opensuse.security:def:111216	P	Security update for firejail (Important)	2021-02-10
oval:org.opensuse.security:def:64439	P	Security update for python3 (Important)	2020-12-02
oval:org.opensuse.security:def:63734	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:75030	P	Security update for firejail (Moderate)	2020-12-01
oval:org.opensuse.security:def:64843	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:63881	P	Security update for wireshark (Moderate)	2020-12-01
oval:org.opensuse.security:def:64955	P	Security update for libvpx (Moderate)	2020-12-01
oval:org.opensuse.security:def:64110	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:74897	P	Security update for sysstat (Low)	2020-12-01
oval:org.opensuse.security:def:110725	P	Security update for firejail (Moderate)	2020-08-14

BACK