CVE-2021-32563

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.openwall.com/lists/oss-security/2021/05/11/3	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/01/05/1	Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/01/05/2	Mailing List Third Party Advisory
https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d	Patch
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664	Patch
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b	Patch
https://gitlab.xfce.org/xfce/thunar/-/tags	Release Notes
https://www.openwall.com/lists/oss-security/2021/05/09/2	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:xfce:thunar::::::::
	cpe:2.3:a:xfce:thunar::::::::

History

No history.

Information

Published : 2021-05-11 05:15

Updated : 2024-02-28 18:28

NVD link : CVE-2021-32563

Mitre link : CVE-2021-32563

CVE.ORG link : CVE-2021-32563

JSON object : View

Products Affected

xfce

thunar

CWE

CWE-913

Improper Control of Dynamically-Managed Code Resources

{"id": "CVE-2021-32563", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2021-05-11T05:15:07.217", "references": [{"url": "http://www.openwall.com/lists/oss-security/2021/05/11/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/01/05/1", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2023/01/05/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b", "tags": ["Patch"], "source": "cve@mitre.org"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/tags", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://www.openwall.com/lists/oss-security/2021/05/09/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-913"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Thunar versiones anteriores a 4.16.7 y versiones 4.17.x anteriores a 4.17.2. Cuando es llamado con un archivo normal como argumento de l\u00ednea de comandos, es delegado en un programa diferente (seg\u00fan el tipo de archivo) sin la confirmaci\u00f3n del usuario. Esto podr\u00eda ser usado para lograr una ejecuci\u00f3n de c\u00f3digo"}], "lastModified": "2023-02-28T19:00:53.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:xfce:thunar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FFE279F7-C6F4-4D5D-98A0-6786253DFE3C", "versionEndExcluding": "4.16.7"}, {"criteria": "cpe:2.3:a:xfce:thunar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3C50E9C4-30D6-465A-AD74-07074B15B861", "versionEndExcluding": "4.17.2", "versionStartIncluding": "4.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}