In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.
References
Configurations
History
21 Nov 2024, 05:04
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 7.4 |
References | () https://github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9 - Patch, Third Party Advisory | |
References | () https://github.com/radareorg/radare2/issues/16945 - Third Party Advisory | |
References | () https://github.com/radareorg/radare2/pull/16966 - Third Party Advisory | |
References | () https://github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358 - Third Party Advisory | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/ - | |
References | () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/ - |
07 Nov 2023, 03:17
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2020-07-20 18:15
Updated : 2024-11-21 05:04
NVD link : CVE-2020-15121
Mitre link : CVE-2020-15121
CVE.ORG link : CVE-2020-15121
JSON object : View
Products Affected
radare
- radare2
fedoraproject
- fedora
CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')