CVE-2017-15108

HIGH

spice-vdagent <= 0.17.0 - OS Command Injection via Save Directory

Title source: llm
STIX 2.1

Description

spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.

References (3)

Core 3
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201804-09
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html

Scores

CVSS v3 7.8
EPSS 0.0042
EPSS Percentile 33.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (2)
debian/debian_linux 9.0
spice-space/spice-vdagent < 0.17.0
Published Jan 20, 2018
Tracked Since Feb 18, 2026