CVE-2017-17514
high
CVSS v3
8.8
CVSS v2
6.8
VIR risk
8.8
Description
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-17514
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | bullseye | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
| debian | 7.0 | affected | |
| debian | 8.0 | affected | |
| debian | 9.0 | affected | |
| debian | 10.0 | affected | |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| nip2_project | nip2 | 8.4.0 | |
References
CWEs
CWE-74
Verify integrity in audit chain (admin only). AS-IS.