CVE-2017-17530

2017-12-14T00:00:00

Description

** DISPUTED ** common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: this is disputed by a third party because no untrusted input can be used for the injection.

Affected Package

OS	OS Version	Package Name	Package Version
ubuntu	18.04	geomview	any
ubuntu	20.04	geomview	any
ubuntu	22.04	geomview	any
ubuntu	upstream	geomview	any
ubuntu	14.04	geomview	any
ubuntu	upstream	geomview	any
ubuntu	16.04	geomview	any

{"id": "UB:CVE-2017-17530", "vendorId": null, "type": "ubuntucve", "bulletinFamily": "info", "title": "CVE-2017-17530", "description": "** DISPUTED ** common/help.c in Geomview 1.9.5 does not validate strings\nbefore launching the program specified by the BROWSER environment variable,\nwhich might allow remote attackers to conduct argument-injection attacks\nvia a crafted URL. NOTE: this is disputed by a third party because no\nuntrusted input can be used for the injection.", "published": "2017-12-14T00:00:00", "modified": "2017-12-14T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.8}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://ubuntu.com/security/CVE-2017-17530", "reporter": "ubuntu.com", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17530", "https://sources.debian.org/src/geomview/1.9.5-1/src/bin/geomview/common/help.c/?hl=51#L83", "https://security-tracker.debian.org/tracker/CVE-2017-17530", "https://nvd.nist.gov/vuln/detail/CVE-2017-17530", "https://launchpad.net/bugs/cve/CVE-2017-17530", "https://security-tracker.debian.org/tracker/CVE-2017-17530"], "cvelist": ["CVE-2017-17530"], "immutableFields": [], "lastseen": "2023-01-27T14:17:11", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-17530"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-17530"]}], "rev": 4}, "score": {"value": 5.8, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-17530"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2017-17530"]}]}, "exploitation": null, "vulnersScore": 5.8}, "_state": {"dependencies": 1674829467, "score": 1674830054}, "_internal": {"score_hash": "9841c26330808a74c2154b26661edf91"}, "affectedPackage": [{"OS": "ubuntu", "OSVersion": "18.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "20.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "22.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "14.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "does not exist", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "upstream", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}, {"OS": "ubuntu", "OSVersion": "16.04", "arch": "noarch", "packageVersion": "any", "packageFilename": "UNKNOWN", "operator": "lt", "status": "needed", "packageName": "geomview"}], "bugs": []}

{"debiancve": [{"lastseen": "2022-10-21T06:02:17", "description": "** DISPUTED ** common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: this is disputed by a third party because no untrusted input can be used for the injection.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-14T16:29:00", "type": "debiancve", "title": "CVE-2017-17530", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-17530"], "modified": "2017-12-14T16:29:00", "id": "DEBIANCVE:CVE-2017-17530", "href": "https://security-tracker.debian.org/tracker/CVE-2017-17530", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-08-11T05:28:01", "description": "** DISPUTED ** common/help.c in Geomview 1.9.5 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: this is disputed by a third party because no untrusted input can be used for the injection.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2017-12-14T16:29:00", "type": "cve", "title": "CVE-2017-17530", "cwe": ["CWE-74"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-17530"], "modified": "2022-08-11T03:15:00", "cpe": ["cpe:/a:geomview:geomview:1.9.5"], "id": "CVE-2017-17530", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-17530", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:geomview:geomview:1.9.5:*:*:*:*:*:*:*"]}]}

CVE-2017-17530

Description

Affected Package

Related