Lucene search

GitHub_MCVELIST:CVE-2023-50254

HistoryDec 22, 2023 - 4:49 p.m.

CVE-2023-50254 Deepin Reader RCE vulnerability due to a design flaw

2023-12-2216:49:48

CWE-27

CWE-22

GitHub_M

www.cve.org

deepin linux software

vulnerability

remote command execution

file overwrite

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

9.7 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.5%

JSON

Deepin Linux’s default document reader deepin-reader software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. This is a file overwrite vulnerability. Remote code execution (RCE) can be achieved by overwriting files like .bash_rc, .bash_login, etc. RCE will be triggered when the user opens the terminal. Version 6.0.7 contains a patch for the issue.

CNA Affected

[
  {
    "vendor": "linuxdeepin",
    "product": "developer-center",
    "versions": [
      {
        "version": "< 6.0.7",
        "status": "affected"
      }
    ]
  }
]

References

github.com/linuxdeepin/deepin-reader/commit/4db7a079fb7bd77257b1b9208a7ab26aade8fe04

github.com/linuxdeepin/deepin-reader/commit/c192fd20a2fe4003e0581c3164489a89e06420c6

github.com/linuxdeepin/developer-center/security/advisories/GHSA-q9jr-726g-9495

9.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

9.7 High

AI Score

Confidence

High

0.006 Low

EPSS

Percentile

78.5%

JSON

Related for CVELIST:CVE-2023-50254