CVE-2023-1277 : A vulnerability, which was classified as critical, was found in kylin-system-upd

A vulnerability, which was classified as critical, was found in kylin-system-updater up to 1.4.20kord on Ubuntu Kylin. Affected is the function InstallSnap of the component Update Handler. The manipulation leads to command injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222600.

Published 2023-03-08 19:15:11

Updated 2024-05-17 02:17:56

Source VulDB

View at NVD, CVE.org

Products affected by CVE-2023-1277

Ubuntukylin » Kylin-system-updater
Versions up to, including, (<=) 1.4.20kord
cpe:2.3:a:ubuntukylin:kylin-system-updater:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-1277

EPSS FAQ

0.24%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-1277

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.8	MEDIUM	AV:L/AC:L/Au:S/C:C/I:C/A:C	3.1	10.0	VulDB
Access Vector: Local Access Complexity: Low Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	VulDB
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	VulDB	2024-02-13
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-1277

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: cna@vuldb.com (Secondary)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-1277

https://github.com/cn-lwj/vuldb/blob/master/kylin-system-updater_vuln.md

vuldb/kylin-system-updater_vuln.md at master · cn-lwj/vuldb · GitHub
Exploit;Third Party Advisory
https://vuldb.com/?id.222600

Login required
Third Party Advisory
https://vuldb.com/?ctiid.222600

Login required
Permissions Required;Third Party Advisory

Jump to

Vulnerability Details : CVE-2023-1277

Products affected by CVE-2023-1277

Exploit prediction scoring system (EPSS) score for CVE-2023-1277

CVSS scores for CVE-2023-1277

CWE ids for CVE-2023-1277

References for CVE-2023-1277