CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
AI Score
Confidence
High
EPSS
Percentile
9.6%
A vulnerability in the VirusEvent feature of ClamAV could allow a local
attacker to inject arbitrary commands with the privileges of the
application service account.The vulnerability is due to unsafe handling of
file names. A local attacker could exploit this vulnerability by supplying
a file name containing command-line sequences. When processed on a system
using configuration options for the VirusEvent feature, the attacker could
cause the application to execute arbitrary commands. ClamAV has released
software updates that address this vulnerability. There are no workarounds
that address this vulnerability.
Author | Note |
---|---|
mdeslaur | doesn’t appear to affect 0.103.x |