Vulnerabilities > CVE-2017-12904 - Improper Neutralization of Special Elements in Data Query Logic vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Improper Neutralization of Special Elements used in an OS Command in bookmarking function of Newsbeuter versions 0.7 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3947.NASL description Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine. last seen 2020-06-01 modified 2020-06-02 plugin id 102599 published 2017-08-21 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102599 title Debian DSA-3947-1 : newsbeuter - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3947. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(102599); script_version("3.4"); script_cvs_date("Date: 2018/11/10 11:49:38"); script_cve_id("CVE-2017-12904"); script_xref(name:"DSA", value:"3947"); script_name(english:"Debian DSA-3947-1 : newsbeuter - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine." ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/newsbeuter" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/newsbeuter" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2017/dsa-3947" ); script_set_attribute( attribute:"solution", value: "Upgrade the newsbeuter packages. For the oldstable distribution (jessie), this problem has been fixed in version 2.8-2+deb8u1. For the stable distribution (stretch), this problem has been fixed in version 2.9-5+deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:newsbeuter"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"newsbeuter", reference:"2.8-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"newsbeuter-dbg", reference:"2.8-2+deb8u1")) flag++; if (deb_check(release:"9.0", prefix:"newsbeuter", reference:"2.9-5+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1061.NASL description Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine. For Debian 7 last seen 2020-03-17 modified 2017-08-21 plugin id 102596 published 2017-08-21 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102596 title Debian DLA-1061-1 : newsbeuter security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1061-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(102596); script_version("3.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-12904"); script_name(english:"Debian DLA-1061-1 : newsbeuter security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Jeriko One discovered that newsbeuter, a text-mode RSS feed reader, did not properly escape the title and description of a news article when bookmarking it. This allowed a remote attacker to run an arbitrary shell command on the client machine. For Debian 7 'Wheezy', these problems have been fixed in version 2.5-2+deb7u2. We recommend that you upgrade your newsbeuter packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/08/msg00013.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/newsbeuter" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected newsbeuter package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:newsbeuter"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"newsbeuter", reference:"2.5-2+deb7u2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201801-18.NASL description The remote host is affected by the vulnerability described in GLSA-201801-18 (Newsbeuter: User-assisted execution of arbitrary code) Newsbeuter does not properly escape shell meta-characters in the title and description of RSS feeds when bookmarking. Impact : A remote attacker, by enticing a user to open a feed with specially crafted URLs, could possibly execute arbitrary shell commands with the privileges of the user running the application. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 106117 published 2018-01-18 reporter This script is Copyright (C) 2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106117 title GLSA-201801-18 : Newsbeuter: User-assisted execution of arbitrary code NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-62.NASL description This update for newsbeuter fixes one issues. This security issue was fixed : - CVE-2017-12904: Improper neutralization of special elements allowed remote attackers to perform user-assisted code execution by crafting an RSS item that includes shell code in its title and/or URL (bsc#1054578). last seen 2020-06-05 modified 2018-01-22 plugin id 106222 published 2018-01-22 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106222 title openSUSE Security Update : newsbeuter (openSUSE-2018-62)