Vulnerability-Lookup

CVE-2008-3907 (GCVE-0-2008-3907)

Vulnerability from cvelistv5 – Published: 2008-09-04 17:00 – Updated: 2024-08-07 09:53

Summary

The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.openwall.com/lists/oss-security/2008/09/01/4	mailing-listx_refsource_MLIST
	http://newsbeuter.wordpress.com/2008/09/01/newsbe…	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://secunia.com/advisories/31676	third-party-advisoryx_refsource_SECUNIA
	http://www.newsbeuter.org/downloads/CHANGES	x_refsource_CONFIRM
	http://security.gentoo.org/glsa/glsa-200809-12.xml	vendor-advisoryx_refsource_GENTOO
	http://secunia.com/advisories/31995	third-party-advisoryx_refsource_SECUNIA
	http://www.securityfocus.com/bid/30964	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T09:53:00.493Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20080901 CVE id request: newsbeuter",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
          },
          {
            "name": "newsbeuter-url-command-execution(44791)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
          },
          {
            "name": "31676",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31676"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.newsbeuter.org/downloads/CHANGES"
          },
          {
            "name": "GLSA-200809-12",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
          },
          {
            "name": "31995",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/31995"
          },
          {
            "name": "30964",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/30964"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-09-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-08-07T12:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "[oss-security] 20080901 CVE id request: newsbeuter",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
        },
        {
          "name": "newsbeuter-url-command-execution(44791)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
        },
        {
          "name": "31676",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31676"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.newsbeuter.org/downloads/CHANGES"
        },
        {
          "name": "GLSA-200809-12",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
        },
        {
          "name": "31995",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/31995"
        },
        {
          "name": "30964",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/30964"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3907",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20080901 CVE id request: newsbeuter",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
            },
            {
              "name": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/",
              "refsource": "CONFIRM",
              "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
            },
            {
              "name": "newsbeuter-url-command-execution(44791)",
              "refsource": "XF",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
            },
            {
              "name": "31676",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31676"
            },
            {
              "name": "http://www.newsbeuter.org/downloads/CHANGES",
              "refsource": "CONFIRM",
              "url": "http://www.newsbeuter.org/downloads/CHANGES"
            },
            {
              "name": "GLSA-200809-12",
              "refsource": "GENTOO",
              "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
            },
            {
              "name": "31995",
              "refsource": "SECUNIA",
              "url": "http://secunia.com/advisories/31995"
            },
            {
              "name": "30964",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/30964"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-3907",
    "datePublished": "2008-09-04T17:00:00",
    "dateReserved": "2008-09-04T00:00:00",
    "dateUpdated": "2024-08-07T09:53:00.493Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.0\", \"matchCriteriaId\": \"276F919F-3181-4ADE-A181-7A8776115338\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A1E21217-98D9-4FAD-88D4-652746FB05C1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DA51EDB2-94CD-421C-B7D9-5E3FEEAD194E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4AF4978C-4EBF-41ED-962F-0890E5BDC071\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DCDA3939-74B1-4A44-955D-1BA1D2A23C0F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B242B9F1-3B5B-41EE-8CFF-BCC3008B785A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"733B891C-63E6-45A2-AE6D-32A4C860A07D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"684B7199-9344-4DBA-90AD-DEDEC056F213\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"45CD698E-70A1-43A0-B828-3DBD519DDDF9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"379E21B5-D427-45EC-B674-9BCC8A47CA76\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EB0B1B93-8E8C-4A77-98F8-CE5BFED550DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C907407-E178-43BF-A433-9BC73EB7FD5F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DB3A20C1-1FB7-43C8-A78E-FBEBB4E888AF\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.\"}, {\"lang\": \"es\", \"value\": \"El comando open-in-browser en newsbeuter versiones anteriores a 1.1 permite a atacantes remotos ejecutar comandos de su elecci\\u00f3n a trav\\u00e9s de metacaracteres de consola en una URL fuente.\"}]",
      "evaluatorComment": "http://www.openwall.com/lists/oss-security/2008/09/01/4\r\n\r\n\"The previous version allowed to execute arbitrary code by a \r\ncrafted feed URL that is passed as a command line parameter \r\nif the URL is opened by an external browser.\"",
      "id": "CVE-2008-3907",
      "lastModified": "2024-11-21T00:50:26.627",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2008-09-04T17:41:00.000",
      "references": "[{\"url\": \"http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://secunia.com/advisories/31676\", \"source\": \"cve@mitre.org\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/31995\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200809-12.xml\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.newsbeuter.org/downloads/CHANGES\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2008/09/01/4\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/30964\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/44791\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/31676\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/31995\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200809-12.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.newsbeuter.org/downloads/CHANGES\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2008/09/01/4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/30964\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/44791\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-3907\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-09-04T17:41:00.000\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.\"},{\"lang\":\"es\",\"value\":\"El comando open-in-browser en newsbeuter versiones anteriores a 1.1 permite a atacantes remotos ejecutar comandos de su elecci\u00f3n a trav\u00e9s de metacaracteres de consola en una URL fuente.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.0\",\"matchCriteriaId\":\"276F919F-3181-4ADE-A181-7A8776115338\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1E21217-98D9-4FAD-88D4-652746FB05C1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DA51EDB2-94CD-421C-B7D9-5E3FEEAD194E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4AF4978C-4EBF-41ED-962F-0890E5BDC071\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCDA3939-74B1-4A44-955D-1BA1D2A23C0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B242B9F1-3B5B-41EE-8CFF-BCC3008B785A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"733B891C-63E6-45A2-AE6D-32A4C860A07D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"684B7199-9344-4DBA-90AD-DEDEC056F213\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45CD698E-70A1-43A0-B828-3DBD519DDDF9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"379E21B5-D427-45EC-B674-9BCC8A47CA76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB0B1B93-8E8C-4A77-98F8-CE5BFED550DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C907407-E178-43BF-A433-9BC73EB7FD5F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB3A20C1-1FB7-43C8-A78E-FBEBB4E888AF\"}]}]}],\"references\":[{\"url\":\"http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://secunia.com/advisories/31676\",\"source\":\"cve@mitre.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/31995\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200809-12.xml\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.newsbeuter.org/downloads/CHANGES\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2008/09/01/4\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/30964\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/44791\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/31676\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/31995\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://security.gentoo.org/glsa/glsa-200809-12.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.newsbeuter.org/downloads/CHANGES\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2008/09/01/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/30964\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/44791\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorComment\":\"http://www.openwall.com/lists/oss-security/2008/09/01/4\\r\\n\\r\\n\\\"The previous version allowed to execute arbitrary code by a \\r\\ncrafted feed URL that is passed as a command line parameter \\r\\nif the URL is opened by an external browser.\\\"\"}}"
  }
}

FKIE_CVE-2008-3907

Vulnerability from fkie_nvd - Published: 2008-09-04 17:41 - Updated: 2025-04-09 00:30

Severity ?

Summary

The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.

References

URL	Tags
cve@mitre.org	http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/
cve@mitre.org	http://secunia.com/advisories/31676	Vendor Advisory
cve@mitre.org	http://secunia.com/advisories/31995
cve@mitre.org	http://security.gentoo.org/glsa/glsa-200809-12.xml
cve@mitre.org	http://www.newsbeuter.org/downloads/CHANGES
cve@mitre.org	http://www.openwall.com/lists/oss-security/2008/09/01/4
cve@mitre.org	http://www.securityfocus.com/bid/30964
cve@mitre.org	https://exchange.xforce.ibmcloud.com/vulnerabilities/44791
af854a3a-2127-422b-91ae-364da2661108	http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31676	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/31995
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200809-12.xml
af854a3a-2127-422b-91ae-364da2661108	http://www.newsbeuter.org/downloads/CHANGES
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2008/09/01/4
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/30964
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/44791

Impacted products

Vendor	Product	Version
newsbeuter	newsbeuter	*
newsbeuter	newsbeuter	0.1.1
newsbeuter	newsbeuter	0.2
newsbeuter	newsbeuter	0.3
newsbeuter	newsbeuter	0.4
newsbeuter	newsbeuter	0.5
newsbeuter	newsbeuter	0.6
newsbeuter	newsbeuter	0.7
newsbeuter	newsbeuter	0.8
newsbeuter	newsbeuter	0.8.1
newsbeuter	newsbeuter	0.8.2
newsbeuter	newsbeuter	0.9
newsbeuter	newsbeuter	0.9.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "276F919F-3181-4ADE-A181-7A8776115338",
              "versionEndIncluding": "1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "A1E21217-98D9-4FAD-88D4-652746FB05C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "DA51EDB2-94CD-421C-B7D9-5E3FEEAD194E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AF4978C-4EBF-41ED-962F-0890E5BDC071",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "DCDA3939-74B1-4A44-955D-1BA1D2A23C0F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "B242B9F1-3B5B-41EE-8CFF-BCC3008B785A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "733B891C-63E6-45A2-AE6D-32A4C860A07D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "684B7199-9344-4DBA-90AD-DEDEC056F213",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "45CD698E-70A1-43A0-B828-3DBD519DDDF9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "379E21B5-D427-45EC-B674-9BCC8A47CA76",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EB0B1B93-8E8C-4A77-98F8-CE5BFED550DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C907407-E178-43BF-A433-9BC73EB7FD5F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB3A20C1-1FB7-43C8-A78E-FBEBB4E888AF",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."
    },
    {
      "lang": "es",
      "value": "El comando open-in-browser en newsbeuter versiones anteriores a 1.1 permite a atacantes remotos ejecutar comandos de su elecci\u00f3n a trav\u00e9s de metacaracteres de consola en una URL fuente."
    }
  ],
  "evaluatorComment": "http://www.openwall.com/lists/oss-security/2008/09/01/4\r\n\r\n\"The previous version allowed to execute arbitrary code by a \r\ncrafted feed URL that is passed as a command line parameter \r\nif the URL is opened by an external browser.\"",
  "id": "CVE-2008-3907",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2008-09-04T17:41:00.000",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31676"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/31995"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.newsbeuter.org/downloads/CHANGES"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/bid/30964"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/31676"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/31995"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.newsbeuter.org/downloads/CHANGES"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/30964"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-C24P-P34C-X969

Vulnerability from github – Published: 2022-05-02 00:04 – Updated: 2025-04-09 03:58

Details

The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-3907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-04T17:41:00Z",
    "severity": "MODERATE"
  },
  "details": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.",
  "id": "GHSA-c24p-p34c-x969",
  "modified": "2025-04-09T03:58:02Z",
  "published": "2022-05-02T00:04:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3907"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
    },
    {
      "type": "WEB",
      "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31676"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/31995"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
    },
    {
      "type": "WEB",
      "url": "http://www.newsbeuter.org/downloads/CHANGES"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/30964"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2008-3907

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.

Aliases

CVE-2008-3907

Aliases

CVE-2008-3907

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-3907",
    "description": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.",
    "id": "GSD-2008-3907"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-3907"
      ],
      "details": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL.",
      "id": "GSD-2008-3907",
      "modified": "2023-12-13T01:23:05.227054Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-3907",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[oss-security] 20080901 CVE id request: newsbeuter",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
          },
          {
            "name": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/",
            "refsource": "CONFIRM",
            "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
          },
          {
            "name": "newsbeuter-url-command-execution(44791)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
          },
          {
            "name": "31676",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31676"
          },
          {
            "name": "http://www.newsbeuter.org/downloads/CHANGES",
            "refsource": "CONFIRM",
            "url": "http://www.newsbeuter.org/downloads/CHANGES"
          },
          {
            "name": "GLSA-200809-12",
            "refsource": "GENTOO",
            "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
          },
          {
            "name": "31995",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/31995"
          },
          {
            "name": "30964",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/30964"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3907"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The open-in-browser command in newsbeuter before 1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a feed URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20080901 CVE id request: newsbeuter",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2008/09/01/4"
            },
            {
              "name": "http://www.newsbeuter.org/downloads/CHANGES",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.newsbeuter.org/downloads/CHANGES"
            },
            {
              "name": "30964",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/30964"
            },
            {
              "name": "31676",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/31676"
            },
            {
              "name": "31995",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/31995"
            },
            {
              "name": "GLSA-200809-12",
              "refsource": "GENTOO",
              "tags": [],
              "url": "http://security.gentoo.org/glsa/glsa-200809-12.xml"
            },
            {
              "name": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://newsbeuter.wordpress.com/2008/09/01/newsbeuter-11-released-contains-security-fix-please-upgrade/"
            },
            {
              "name": "newsbeuter-url-command-execution(44791)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44791"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2017-08-08T01:32Z",
      "publishedDate": "2008-09-04T17:41Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-3907 (GCVE-0-2008-3907)

FKIE_CVE-2008-3907

GHSA-C24P-P34C-X969

GSD-2008-3907

Tags

Sightings

Nomenclature