CVE-2017-15108: OS Command Injection
First published: Sat Jan 20 2018(Updated: )
spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Spice-space Spice-vdagent | <=0.17.0 | |
| Debian Debian Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2017-15108?
The severity of CVE-2017-15108 is high with a CVSS score of 7.8.
What is the description of CVE-2017-15108?
CVE-2017-15108 is a vulnerability in spice-vdagent up to and including version 0.17.0, which allows a local attacker to inject arbitrary commands.
Which software versions are affected by CVE-2017-15108?
spice-vdagent up to and including version 0.17.0 and Debian Linux version 9.0 are affected by CVE-2017-15108.
How can a local attacker exploit CVE-2017-15108?
A local attacker with access to the session the agent runs in can exploit CVE-2017-15108 by injecting arbitrary commands.
Is there a fix available for CVE-2017-15108?
Yes, you can find information about the fix for CVE-2017-15108 in the provided references.
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/event
- agent/type
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/spice-space
- canonical/spice-space spice-vdagent
- version/spice-space spice-vdagent/0.17.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0