Vulnerability Details : CVE-2012-4463
Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name.
Vulnerability category: Input validation
Products affected by CVE-2012-4463
- cpe:2.3:a:midnight-commander:midnight_commander:4.8.5:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-4463
1.29%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 84 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-4463
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.1
|
MEDIUM | AV:N/AC:H/Au:N/C:P/I:P/A:P |
4.9
|
6.4
|
NIST |
CWE ids for CVE-2012-4463
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-4463
-
https://bugzilla.redhat.com/show_bug.cgi?id=862813
862813 – (CVE-2012-4463) CVE-2012-4463 mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/79033
Midnight Commander code execution CVE-2012-4463 Vulnerability Report
-
http://www.securityfocus.com/bid/55777
Midnight Commander 'MC_EXT_SELECTED' Variable Remote Security Vulnerability
-
https://bugs.gentoo.org/show_bug.cgi?id=436518#c7
436518 – (CVE-2012-4463) <app-misc/mc-4.8.7: arbitrary execution of programs due to unquoted environment variables (CVE-2012-4463)
-
http://www.openwall.com/lists/oss-security/2012/10/03/4
oss-security - CVE Request (minor) -- mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files
-
http://www.openwall.com/lists/oss-security/2012/10/03/5
oss-security - Re: CVE Request (minor) -- mc: Improper sanitization of MC_EXT_SELECTED variable when viewing multiple files
-
https://www.midnight-commander.org/ticket/2913
#2913 (CVE-2012-4463 mc-4.8.5: Does not sanitize MC_EXT_SELECTED variable properly) – Midnight Commander
Jump to