CVE Vulnerabilities

CVE-2022-4170

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Dec 09, 2022 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the users terminal and certain options are set.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Rxvt-unicode Rxvt-unicode_project 9.25 (including) 9.25 (including)
Rxvt-unicode Rxvt-unicode_project 9.26 (including) 9.26 (including)
Rxvt-unicode Ubuntu bionic *
Rxvt-unicode Ubuntu kinetic *
Rxvt-unicode Ubuntu lunar *
Rxvt-unicode Ubuntu mantic *
Rxvt-unicode Ubuntu trusty *
Rxvt-unicode Ubuntu xenial *

Potential Mitigations

References