CVE-2017-17514

boxes.c in nip2 8.4.0 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that this product does not use the BROWSER environment variable

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name	Vendor	Start Version	End Version
Nip2	Nip2_project	8.4.0 (including)	8.4.0 (including)
Nip2	Ubuntu	artful	*
Nip2	Ubuntu	bionic	*
Nip2	Ubuntu	cosmic	*
Nip2	Ubuntu	disco	*
Nip2	Ubuntu	eoan	*
Nip2	Ubuntu	groovy	*
Nip2	Ubuntu	hirsute	*
Nip2	Ubuntu	impish	*
Nip2	Ubuntu	kinetic	*
Nip2	Ubuntu	lunar	*
Nip2	Ubuntu	mantic	*
Nip2	Ubuntu	trusty	*
Nip2	Ubuntu	xenial	*
Nip2	Ubuntu	zesty	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/10.html
https://cwe.mitre.org/data/definitions/101.html
https://cwe.mitre.org/data/definitions/105.html
https://cwe.mitre.org/data/definitions/108.html
https://cwe.mitre.org/data/definitions/120.html
https://cwe.mitre.org/data/definitions/13.html
https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/14.html
https://cwe.mitre.org/data/definitions/24.html
https://cwe.mitre.org/data/definitions/250.html
https://cwe.mitre.org/data/definitions/267.html
https://cwe.mitre.org/data/definitions/273.html
https://cwe.mitre.org/data/definitions/28.html
https://cwe.mitre.org/data/definitions/3.html
https://cwe.mitre.org/data/definitions/34.html
https://cwe.mitre.org/data/definitions/42.html
https://cwe.mitre.org/data/definitions/43.html
https://cwe.mitre.org/data/definitions/45.html
https://cwe.mitre.org/data/definitions/46.html
https://cwe.mitre.org/data/definitions/47.html
https://cwe.mitre.org/data/definitions/51.html
https://cwe.mitre.org/data/definitions/52.html
https://cwe.mitre.org/data/definitions/53.html
https://cwe.mitre.org/data/definitions/6.html
https://cwe.mitre.org/data/definitions/64.html
https://cwe.mitre.org/data/definitions/67.html
https://cwe.mitre.org/data/definitions/7.html
https://cwe.mitre.org/data/definitions/71.html
https://cwe.mitre.org/data/definitions/72.html
https://cwe.mitre.org/data/definitions/76.html
https://cwe.mitre.org/data/definitions/78.html
https://cwe.mitre.org/data/definitions/79.html
https://cwe.mitre.org/data/definitions/8.html
https://cwe.mitre.org/data/definitions/80.html
https://cwe.mitre.org/data/definitions/83.html
https://cwe.mitre.org/data/definitions/84.html
https://cwe.mitre.org/data/definitions/9.html

References

https://github.com/jcupitt/nip2/issues/70
https://security-tracker.debian.org/tracker/CVE-2017-17514
https://github.com/jcupitt/nip2/issues/70
https://security-tracker.debian.org/tracker/CVE-2017-17514

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-17514
CWE	https://cwe.mitre.org/data/definitions/74.html

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References