Description
Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected products
- mate-desktop / atril<= 1.26.3 – <= 1.26.3
References
- VENDOR_ADVISORYhttps://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2
- PATCHhttps://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OZKXNZ3HGH6KH65OEKVCEAOZJWNZ32FQ/
- MAILING_LISThttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT3UIQOSZ6UNH5QTFOOY2DJ4MITM2C2C/