CVE-2017-17522

HIGH

Python < 3.6.3 - Injection

Title source: rule

Description

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting

References (3)

Scores

CVSS v3 8.8
EPSS 0.0065
EPSS Percentile 70.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE
CWE-74
Status draft

Affected Products (1)

python/python < 3.6.3

Timeline

Published Dec 14, 2017
Tracked Since Feb 18, 2026