CVE-2010-2809: Code Injection
First published: Fri Aug 06 2010(Updated: )
Quoting the upstream news advisory [1]: "The 2010.08.05 release comes with a patched config file. With shell code in hyperlinks on a page, one of the sample (uzbl-core) resp. default (uzbl-browser) button bindings (binding for mousebutton2) would execute this code. Note that just upgrading your uzbl is not enough. If you have an existing config, the change will not be automatically applied. So be sure you have this change in your config." And an associated bug report [2] exists as well. There is no patch noted in the bug report. This would affect all versions of Fedora. [1] <a href="http://www.uzbl.org/news.php?id=29">http://www.uzbl.org/news.php?id=29</a> [2] <a href="http://www.uzbl.org/bugs/index.php?do=details&task_id=240">http://www.uzbl.org/bugs/index.php?do=details&task_id=240</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| uzbl | <=2010.04.03 | |
| uzbl | =2010.01.04 | |
| uzbl | =2009.12.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=621964
- http://www.uzbl.org/news.php?id=29
- https://bugzilla.redhat.com/show_bug.cgi?id=621965
- http://marc.info/?l=oss-security&m=128111994317381&w=2
- http://www.uzbl.org/bugs/index.php?do=details&task_id=240
- http://www.securityfocus.com/bid/42297
- http://github.com/pawelz/uzbl/commit/342f292c27973c9df5f631a38bd12f14a9c5cdc2
- http://marc.info/?l=oss-security&m=128111493509265&w=2
- http://github.com/Dieterbe/uzbl/commit/9cc39cb5c9396be013b5dc2ba7e4b3eaa647e975
- https://exchange.xforce.ibmcloud.com/vulnerabilities/61011
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=621965
- https://access.redhat.com/security/cve/CVE-2010-2809
Frequently Asked Questions
What is the severity of CVE-2010-2809?
CVE-2010-2809 is considered a medium severity vulnerability due to its potential to execute arbitrary shell code through hyperlinks.
How do I fix CVE-2010-2809?
To fix CVE-2010-2809, you should upgrade to a version of uzbl released after 2010.08.05.
What software is affected by CVE-2010-2809?
CVE-2010-2809 affects uzbl versions up to and including 2010.04.03 and specific earlier versions including 2009.12.22 and 2010.01.04.
What exploits are associated with CVE-2010-2809?
CVE-2010-2809 can be exploited via crafted hyperlinks that contain shell code, affecting users who interact with those links.
Who is impacted by CVE-2010-2809?
Users of uzbl versions prior to the patched release are at risk of exploitation from CVE-2010-2809.
- collector/redhat-bugzilla
- alias/CVE-2010-2809
- agent/references
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/uzbl
- canonical/uzbl
- version/uzbl/2010.04.03
- version/uzbl/2010.01.04
- version/uzbl/2009.12.22