Vulnerability Details : CVE-2017-17522
Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
Products affected by CVE-2017-17522
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2017-17522
Top countries where our scanners detected CVE-2017-17522
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2017-17522 151,230
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-17522!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-17522
0.60%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-17522
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2017-17522
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-17522
-
https://security-tracker.debian.org/tracker/CVE-2017-17522
CVE-2017-17522Issue Tracking;Third Party Advisory
-
https://bugs.python.org/issue32367
Issue 32367: [Security] CVE-2017-17522: webbrowser.py in Python does not validate strings - Python tracker
-
http://www.securityfocus.com/bid/102207
Python 'Lib/webbrowser.py' Remote Command Execution VulnerabilityThird Party Advisory;VDB Entry
Jump to