CVE-2023-39726 : An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitr

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

Published 2023-10-26 21:15:08

Updated 2024-09-10 17:35:08

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2023-39726

Mintty Project » Mintty
Versions up to, including, (<=) 3.6.4
cpe:2.3:a:mintty_project:mintty:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

2.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 83 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST	2024-09-10
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input into an executable resource, such as a library, configuration file, or template.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

https://dgl.cx/2023/09/ansi-terminal-security#mintty-osc50

" [31m"?! ANSI Terminal security in 2023 and finding 10 CVEs
Third Party Advisory

Jump to