CVE-2023-51698

2024-01-1200:00:00

ubuntu.com

atril

document viewer

cve-2023-51698

command injection

vulnerability

tar archive

patch

debian

bug

launchpad

remote code execution

exploit

demo video

unix

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.8%

JSON

Atril is a simple multi-page document viewer. Atril is vulnerable to a
critical Command Injection Vulnerability. This vulnerability gives the
attacker immediate access to the target system when the target user opens a
crafted document or clicks on a crafted link/URL using a maliciously
crafted CBT document which is a TAR archive. A patch is available at commit
ce41df6.

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060751>

Notes

Author	Note
	Priority reason: Remote code execution vulnerability with available exploit and demo video.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchatril< anyUNKNOWN
ubuntu20.04noarchatril< anyUNKNOWN
ubuntu22.04noarchatril< anyUNKNOWN
ubuntu23.10noarchatril< anyUNKNOWN
ubuntu24.04noarchatril< anyUNKNOWN
ubuntu16.04noarchatril< anyUNKNOWN
ubuntu18.04noarchevince< anyUNKNOWN
ubuntu16.04noarchevince< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	atril	< any	UNKNOWN
ubuntu	20.04	noarch	atril	< any	UNKNOWN
ubuntu	22.04	noarch	atril	< any	UNKNOWN
ubuntu	23.10	noarch	atril	< any	UNKNOWN
ubuntu	24.04	noarch	atril	< any	UNKNOWN
ubuntu	16.04	noarch	atril	< any	UNKNOWN
ubuntu	18.04	noarch	evince	< any	UNKNOWN
ubuntu	16.04	noarch	evince	< any	UNKNOWN