CVE-2021-27229

moderate-risk
Published 2021-02-16

Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

Do I need to act?

~
2.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (2)

Mumble

Affected Vendors

Debian Mumble

References (10)

Patch https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16b...
Patch https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4
Patch https://github.com/mumble-voip/mumble/pull/4733
Mailing List https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html
Third Party Advisory https://security.gentoo.org/glsa/202105-13
Patch https://github.com/mumble-voip/mumble/commit/e59ee87abe249f345908c7d568f6879d16b...
Patch https://github.com/mumble-voip/mumble/compare/1.3.3...1.3.4
Patch https://github.com/mumble-voip/mumble/pull/4733
Mailing List https://lists.debian.org/debian-lts-announce/2021/02/msg00022.html
Third Party Advisory https://security.gentoo.org/glsa/202105-13
43
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 6/34 · Minimal
Exposure 7/34 · Low