OpenCVE

Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Activitywatch	Activitywatch
Apple	Macos

Configuration 1 [-]

AND

cpe:2.3:a:activitywatch:activitywatch:*:*:*:*:*:*:*:*

cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-12-23T00:00:00

Updated: 2024-08-03T23:25:31.116Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32692

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-23T03:15:07.623

Modified: 2024-11-21T06:07:32.587

Link: CVE-2021-32692

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-32692", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T23:25:31.116Z", "dateReserved": "2021-05-12T00:00:00", "datePublished": "2022-12-23T00:00:00"}, "containers": {"cna": {"title": "Activity Watch vulnerable to command execution on macOS via printAppTitle.scpt", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-12-23T00:00:00"}, "descriptions": [{"lang": "en", "value": "Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file."}], "affected": [{"vendor": "ActivityWatch", "product": "Activity Watch", "versions": [{"version": "0.11.0", "status": "affected", "lessThan": "0.11.0", "versionType": "custom"}]}], "references": [{"url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "cweId": "CWE-77"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"defect": [], "advisory": "", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:31.116Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:activitywatch:activitywatch:*:*:*:*:*:*:*:*", "matchCriteriaId": "6309D2D2-8E6B-44D2-A3F7-06AF8530F1FD", "versionEndExcluding": "0.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Activity Watch is a free and open-source automated time tracker. Versions prior to 0.11.0 allow an attacker to execute arbitrary commands on any macOS machine with ActivityWatch running. The attacker can exploit this vulnerability by having the user visiting a website with the page title set to a malicious string. An attacker could use another application to accomplish the same, but the web browser is the most likely attack vector. This issue is patched in version 0.11.0. As a workaround, users can run the latest version of aw-watcher-window from source, or manually patch the `printAppTitle.scpt` file."}, {"lang": "es", "value": "Activity Watch es un rastreador de tiempo automatizado gratuito y de c\u00f3digo abierto. Las versiones anteriores a la 0.11.0 permiten a un atacante ejecutar comandos arbitrarios en cualquier m\u00e1quina macOS con ActivityWatch en ejecuci\u00f3n. El atacante puede aprovechar esta vulnerabilidad haciendo que el usuario visite un sitio web con el t\u00edtulo de la p\u00e1gina configurado como una cadena maliciosa. Un atacante podr\u00eda utilizar otra aplicaci\u00f3n para lograr lo mismo, pero el navegador web es el vector de ataque m\u00e1s probable. Este problema est\u00e1 solucionado en la versi\u00f3n 0.11.0. Como workaround, los usuarios pueden ejecutar la \u00faltima versi\u00f3n de aw-watcher-window desde el c\u00f3digo fuente o parchear manualmente el archivo `printAppTitle.scpt`."}], "id": "CVE-2021-32692", "lastModified": "2024-11-21T06:07:32.587", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-23T03:15:07.623", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ActivityWatch/activitywatch/security/advisories/GHSA-3x6w-q32m-jqf3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}