Description

** DISPUTED ** Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting.

Remediation

References

CVE-2017-17522

Related Vulnerabilities

WordPress Plugin WordPress Photo Gallery by Gallery Bank Unspecified Vulnerability (3.1.26)

Apache HTTP Server Allocation of Resources Without Limits or Throttling Vulnerability (CVE-2019-9517)

Oracle Application Server Other Vulnerability (CVE-2006-0552)

WordPress Plugin Search Logger-Know What Your Visitors Search SQL Injection (0.9)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2022-23307)

Severity

High

Classification

CVE-2017-17522 CWE-138 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities