Vulnerability Details : CVE-2021-41146
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers a `qutebrowserurl:` URL handler. With certain applications, opening a specially crafted `qutebrowserurl:...` URL can lead to execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as `:spawn` or `:debug-pyeval`. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new --untrusted-args flag to the .desktop file), though no such vulnerabilities are known.
Products affected by CVE-2021-41146
- cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*
- cpe:2.3:a:qutebrowser:qutebrowser:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41146
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41146
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
GitHub, Inc. |
CWE ids for CVE-2021-41146
-
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
-
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.Assigned by: security-advisories@github.com (Secondary)
-
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2021-41146
-
https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430
CVE-2021-41146: Add --untrusted-args to avoid argument injection · qutebrowser/qutebrowser@8f46ba3 · GitHubPatch;Third Party Advisory
-
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
Arbitrary command execution in qutebrowser on Windows via URL handler · Advisory · qutebrowser/qutebrowser · GitHubThird Party Advisory
Jump to