CVE-2014-3121

rxvt-unicode before 9.20 does not properly handle OSC escape sequences, which allows user-assisted remote attackers to manipulate arbitrary X window properties and execute arbitrary commands.

CVSS v2.0 7.6 HIGH

7.6^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:H/Au:N/C:C/I:C/A:C

Exploitability : 4.9 / Impact : 10.0

Access Vector NETWORK

Access Complexity HIGH

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://dist.schmorp.de/rxvt-unicode/Changes
http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00026.html
http://lists.opensuse.org/opensuse-updates/2014-06/msg00038.html
http://seclists.org/oss-sec/2014/q2/204
http://www.debian.org/security/2014/dsa-2925
http://www.securityfocus.com/bid/67155
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133166.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133195.html
http://dist.schmorp.de/rxvt-unicode/Changes
http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00026.html
http://lists.opensuse.org/opensuse-updates/2014-06/msg00038.html
http://seclists.org/oss-sec/2014/q2/204
http://www.debian.org/security/2014/dsa-2925
http://www.securityfocus.com/bid/67155
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133166.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133195.html

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:marc_lehmann:rxvt-unicode::::::::
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.0:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.01:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.02:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.05:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.06:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.07:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.08:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.09:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.10:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.11:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.12:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.14:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.15:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.16:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.17:::::::*
	cpe:2.3:a:marc_lehmann:rxvt-unicode:9.18:::::::*

History

21 Nov 2024, 02:07

Type	Values Removed	Values Added
References	~~() http://dist.schmorp.de/rxvt-unicode/Changes -~~	() http://dist.schmorp.de/rxvt-unicode/Changes -
References	~~() http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00026.html -~~	() http://lists.opensuse.org/opensuse-security-announce/2014-06/msg00026.html -
References	~~() http://lists.opensuse.org/opensuse-updates/2014-06/msg00038.html -~~	() http://lists.opensuse.org/opensuse-updates/2014-06/msg00038.html -
References	~~() http://seclists.org/oss-sec/2014/q2/204 -~~	() http://seclists.org/oss-sec/2014/q2/204 -
References	~~() http://www.debian.org/security/2014/dsa-2925 -~~	() http://www.debian.org/security/2014/dsa-2925 -
References	~~() http://www.securityfocus.com/bid/67155 -~~	() http://www.securityfocus.com/bid/67155 -
References	~~() https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133166.html -~~	() https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133166.html -
References	~~() https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133195.html -~~	() https://lists.fedoraproject.org/pipermail/package-announce/2014-May/133195.html -

Information

Published : 2014-05-14 00:55

Updated : 2025-04-12 10:46

NVD link : CVE-2014-3121

Mitre link : CVE-2014-3121

CVE.ORG link : CVE-2014-3121

JSON object : View

Products Affected

marc_lehmann

rxvt-unicode

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.6 /10