CVE-2017-17514
moderate-risk
Published 2017-12-14
boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable
Do I need to act?
-
0.56% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (5)
Affected Vendors
References (4)
Issue Tracking
https://github.com/jcupitt/nip2/issues/70
Issue Tracking
https://security-tracker.debian.org/tracker/CVE-2017-17514
Issue Tracking
https://github.com/jcupitt/nip2/issues/70
Issue Tracking
https://security-tracker.debian.org/tracker/CVE-2017-17514
44
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
2/34 · Minimal
Exposure
12/34 · Low