CVE-2021-41146 - OpenCVE

qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Qutebrowser	Qutebrowser

Configuration 1 [-]

OR	cpe:2.3:a:qutebrowser:qutebrowser::::::::
	cpe:2.3:a:qutebrowser:qutebrowser::::::::

References

Link	Resource
https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430	Patch Third Party Advisory
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-10-21T17:35:10

Updated: 2021-10-21T17:35:10

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41146

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-21T18:15:10.303

Modified: 2022-10-24T18:43:15.700

Link: CVE-2021-41146

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "qutebrowser", "vendor": "qutebrowser", "versions": [{"status": "affected", "version": ">= 1.7.0, < 2.4.0"}]}], "descriptions": [{"lang": "en", "value": "qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-88", "description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-641", "description": "CWE-641: Improper Restriction of Names for Files and Other Resources", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-10-21T17:35:10", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"}], "source": {"advisory": "GHSA-vw27-fwjf-5qxm", "discovery": "UNKNOWN"}, "title": "Arbitrary command execution on Windows in qutebrowser", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41146", "STATE": "PUBLIC", "TITLE": "Arbitrary command execution on Windows in qutebrowser"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "qutebrowser", "version": {"version_data": [{"version_value": ">= 1.7.0, < 2.4.0"}]}}]}, "vendor_name": "qutebrowser"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"description": [{"lang": "eng", "value": "CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')"}]}, {"description": [{"lang": "eng", "value": "CWE-641: Improper Restriction of Names for Files and Other Resources"}]}]}, "references": {"reference_data": [{"name": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm", "refsource": "CONFIRM", "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"}, {"name": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430", "refsource": "MISC", "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"}]}, "source": {"advisory": "GHSA-vw27-fwjf-5qxm", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41146", "datePublished": "2021-10-21T17:35:10", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2021-10-21T17:35:10", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A51F2F8-D1B6-4749-87C5-6745A246B3FE", "versionEndIncluding": "1.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*", "matchCriteriaId": "F643B197-DBB9-48A2-AD9B-CF2639EDD35A", "versionEndExcluding": "2.4.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known."}, {"lang": "es", "value": "qutebrowser es un navegador de c\u00f3digo abierto centrado en el teclado con una Interfaz de Usuario Gr\u00e1fica m\u00ednima. A partir de qutebrowser versi\u00f3n v1.7.0, el instalador de Windows para qutebrowser registra un manejador de URL \"qutebrowserurl:\". Con determinadas aplicaciones, la apertura de una URL \"qutebrowserurl:...\" especialmente dise\u00f1ada puede conllevar a una ejecuci\u00f3n de comandos de qutebrowser, lo que a su vez permite una ejecuci\u00f3n de c\u00f3digo arbitrario por medio de comandos como \":spawn\" o \":debug-pyeval\". S\u00f3lo est\u00e1n afectadas las instalaciones de Windows en las que qutebrowser est\u00e1 registrado como manejador de URL. El problema ha sido corregido en qutebrowser versi\u00f3n v2.4.0. La correcci\u00f3n tambi\u00e9n a\u00f1ade un refuerzo adicional para posibles problemas similares en Linux (al a\u00f1adir la nueva flag --untrusted-args al archivo .desktop), aunque no se conoce ninguna vulnerabilidad de este tipo"}], "id": "CVE-2021-41146", "lastModified": "2022-10-24T18:43:15.700", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-10-21T18:15:10.303", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-641"}, {"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-88"}], "source": "security-advisories@github.com", "type": "Secondary"}]}