CVE-2017-17515

high

Published 2017-12-14 · Modified 2026-05-13

CVSS v3

8.8

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2

6.8

VIR risk

8.8

Description

etc/ObjectList in Metview 4.7.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has indicated that the code to access this environment variable is not enabled in the shipped product

Predictions

Exploit likelihood

92%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-17515

OS impact

OS	Version	Status
debian	bookworm	affected
debian	bullseye	affected
debian	forky	affected
debian	sid	affected
debian	trixie	affected
debian	8.0	affected
debian	9.0	affected
debian	10.0	affected

Application impact

Vendor	Product	Versions	Fixed
ecmwf	metview	`4.7.3`

References

https://security-tracker.debian.org/tracker/CVE-2017-17515

CWEs

CWE-74

Verify integrity in audit chain (admin only). AS-IS.