CVE-2020-15692

Sažetak

In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying open command to execute arbitrary registered system commands.

Reference

http://www.openwall.com/lists/oss-security/2021/02/04/1
https://consensys.net/diligence/vulnerabilities/nim-browsers-argument-injection/
https://github.com/nim-lang/Nim/blob/dc5a40f3f39c6ea672e6dc6aca7f8118a69dda99/lib/pure/browsers.nim#L48
https://nim-lang.org/blog/2020/07/30/versions-126-and-108-released.html

CVSS

Base:	10.0
Impact:	10.0
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

08-02-2021 - 20:44

Objavljeno

14-08-2020 - 19:15