CVE-2013-2024 : OS command injection vulnerability in the "qs" procedure from the "utils" module

OS command injection vulnerability in the "qs" procedure from the "utils" module in Chicken before 4.9.0.

Published 2019-10-31 20:15:11

Updated 2020-08-18 15:05:49

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2013-2024

Debian » Debian Linux » Version: 8.0
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Call-cc » Chicken
Versions up to, including, (<=) 4.8.2
cpe:2.3:a:call-cc:chicken:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

3.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	HIGH	AV:N/AC:L/Au:S/C:C/I:C/A:C	8.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

https://access.redhat.com/security/cve/cve-2013-2024

Red Hat Customer Portal
Broken Link;Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2013-2024

CVE-2013-2024
Third Party Advisory
http://www.securityfocus.com/bid/59320

CHICKEN 'qs' Function Local Command Injection Vulnerability
Third Party Advisory;VDB Entry
https://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html

[Chicken-announce] [SECURITY] Incomplete escaping in qs procedure may le
Mailing List;Third Party Advisory
http://www.openwall.com/lists/oss-security/2013/04/29/13

oss-security - Re: OS command injection vulnerability in Chicken Scheme
Mailing List;Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/85064

CHICKEN utils module command execution CVE-2013-2024 Vulnerability Report
Third Party Advisory;VDB Entry
https://security.gentoo.org/glsa/201612-54

Chicken: Multiple vulnerabilities (GLSA 201612-54) — Gentoo security
Third Party Advisory

CVEs referencing this url

Jump to