{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-19T19:06:07", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bananamafia.dev/post/r2-pwndebian/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/radare/radare2/pull/14690"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/radare/radare2/releases/tag/3.7.0"}, {"name": "FEDORA-2019-e931422a81", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/"}, {"name": "FEDORA-2019-b3de19c346", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/"}, {"name": "FEDORA-2019-65c33bdc2a", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-14745", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bananamafia.dev/post/r2-pwndebian/", "refsource": "MISC", "url": "https://bananamafia.dev/post/r2-pwndebian/"}, {"name": "https://github.com/radare/radare2/pull/14690", "refsource": "MISC", "url": "https://github.com/radare/radare2/pull/14690"}, {"name": "https://github.com/radare/radare2/releases/tag/3.7.0", "refsource": "MISC", "url": "https://github.com/radare/radare2/releases/tag/3.7.0"}, {"name": "FEDORA-2019-e931422a81", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/"}, {"name": "FEDORA-2019-b3de19c346", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/"}, {"name": "FEDORA-2019-65c33bdc2a", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.136Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bananamafia.dev/post/r2-pwndebian/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/radare/radare2/pull/14690"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/radare/radare2/releases/tag/3.7.0"}, {"name": "FEDORA-2019-e931422a81", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/"}, {"name": "FEDORA-2019-b3de19c346", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/"}, {"name": "FEDORA-2019-65c33bdc2a", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-14745", "datePublished": "2019-08-07T14:58:18", "dateReserved": "2019-08-07T00:00:00", "dateUpdated": "2024-08-05T00:26:39.136Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "matchCriteriaId": "344B5660-4616-414F-9B39-1B3BB9890226", "versionEndExcluding": "3.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables."}, {"lang": "es", "value": "En radare2 anterior a la versi\u00f3n 3.7.0, se presenta una vulnerabilidad de inyecci\u00f3n de comandos en la funci\u00f3n bin_symbols() en el archivo libr/core/cbin.c. Mediante el uso de un archivo ejecutable dise\u00f1ado, es posible ejecutar comandos de shell arbitrarios con los permisos de la v\u00edctima. Esta vulnerabilidad es debido al manejo inapropiado de los nombres de s\u00edmbolos insertados en los ejecutables."}], "id": "CVE-2019-14745", "lastModified": "2024-11-21T04:27:15.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-07T15:15:14.047", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bananamafia.dev/post/r2-pwndebian/"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/radare/radare2/pull/14690"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/radare/radare2/releases/tag/3.7.0"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://bananamafia.dev/post/r2-pwndebian/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/radare/radare2/pull/14690"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/radare/radare2/releases/tag/3.7.0"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ETWG4VKHWL5F74L3QBBKSCOXHSRNSRRT/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGA2PVBFA6VPWWLMBGWVBESHAJBQ7OXJ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RQO7V37RGQEKZDLY2JYKDZTLNN2YUBC5/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}