CVE-2009-3617

aria2 < 1.6.2 - Remote Code Execution via Format String in Download URI

Title source: llm

Description

Format string vulnerability in the AbstractCommand::onAbort function in src/AbstractCommand.cc in aria2 before 1.6.2, when logging is enabled, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a download URI. NOTE: some of these details are obtained from third party information.

References (9)

Core 9

Core References

Various Sources x_refsource_confirm

https://fedorahosted.org/rel-eng/ticket/2495

Patch x_refsource_confirm

http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/src/AbstractCommand.cc?r1=1539&r2=1572

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2009/2960

Patch mailing-list x_refsource_mlist

http://marc.info/?l=oss-security&m=125568632528906&w=2

Patch x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=529342

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/31732

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://osvdb.org/59087

Mailing List mailing-list x_refsource_mlist

http://marc.info/?l=oss-security&m=125572053420493&w=2

Product x_refsource_confirm

http://aria2.svn.sourceforge.net/viewvc/aria2/trunk/NEWS?revision=1586

Scores

EPSS 0.0489

EPSS Percentile 90.9%

Details

CWE

CWE-134

Status published

Products (37)

tatsuhiro_tsujikawa/aria2 0.11.3

tatsuhiro_tsujikawa/aria2 0.11.4

tatsuhiro_tsujikawa/aria2 0.11.5

tatsuhiro_tsujikawa/aria2 0.12.0

tatsuhiro_tsujikawa/aria2 0.12.1

tatsuhiro_tsujikawa/aria2 0.13.0

tatsuhiro_tsujikawa/aria2 0.13.0\+1

tatsuhiro_tsujikawa/aria2 0.13.1

tatsuhiro_tsujikawa/aria2 0.13.1\+1

tatsuhiro_tsujikawa/aria2 0.13.2

... and 27 more

Published Oct 20, 2009

Tracked Since Feb 18, 2026