A vulnerability was found in liferea. It has been rated as critical. Affected by this issue is the function update_job_run of the file src/update.c of the component Feed Enrichment. The manipulation of the argument source with the input value |date >/tmp/bad-item-link.txt leads to a os command injection vulnerability. Using CWE to declare the problem leads to CWE-78. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability.

The weakness was presented 03/11/2023 as 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59. The advisory is shared for download at github.com. This vulnerability is handled as CVE-2023-1350. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1202.

The exploit is available at github.com. It is declared as proof-of-concept.

Applying the patch 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 is able to eliminate this problem. The bugfix is ready for download at github.com. The advisory contains the following remark:

Currently there are a few places in the code that do not check URLs for the presence of a command prefix, allowing malicious websites to run any command in the local system.

Productinfo

Name

• liferea

Version

• 1.12.0
• 1.12.1
• 1.12.2
• 1.12.3
• 1.12.4
• 1.12.5
• 1.12.6
• 1.12.7
• 1.12.8
• 1.12.9
• 1.13.0
• 1.13.1
• 1.13.2
• 1.13.3
• 1.13.4
• 1.13.5
• 1.13.6
• 1.13.7
• 1.13.8
• 1.13.9
• 1.14-RC1
• 1.14-RC2
• 1.14-RC3
• 1.14.0

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion