CVE-2021-32563 - Vulnerability Details - OpenCVE

An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Xfce	Thunar

Configuration 1 [-]

OR	cpe:2.3:a:xfce:thunar::::::::
	cpe:2.3:a:xfce:thunar::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2021/05/11/3
http://www.openwall.com/lists/oss-security/2023/01/05/1
http://www.openwall.com/lists/oss-security/2023/01/05/2
https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d
https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664
https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b
https://gitlab.xfce.org/xfce/thunar/-/tags
https://www.openwall.com/lists/oss-security/2021/05/09/2

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-05-11T00:00:00

Updated: 2024-08-03T23:25:30.561Z

Reserved: 2021-05-11T00:00:00

Link: CVE-2021-32563

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-05-11T05:15:07.217

Modified: 2024-11-21T06:07:16.667

Link: CVE-2021-32563

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-32563", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T23:25:30.561Z", "dateReserved": "2021-05-11T00:00:00", "datePublished": "2021-05-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-01-05T00:00:00"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664"}, {"url": "https://www.openwall.com/lists/oss-security/2021/05/09/2"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/tags"}, {"name": "[oss-security] 20210511 Re: Code execution through Thunar", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/05/11/3"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d"}, {"name": "[oss-security] 20230104 Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/1"}, {"name": "[oss-security] 20230105 Re: Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/2"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:30.561Z"}, "title": "CVE Program Container", "references": [{"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b", "tags": ["x_transferred"]}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664", "tags": ["x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2021/05/09/2", "tags": ["x_transferred"]}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/tags", "tags": ["x_transferred"]}, {"name": "[oss-security] 20210511 Re: Code execution through Thunar", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/05/11/3"}, {"url": "https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d", "tags": ["x_transferred"]}, {"name": "[oss-security] 20230104 Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/1"}, {"name": "[oss-security] 20230105 Re: Code execution through MIME-type association of Mono interpreter and security expectations of MIME type associations", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/2"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xfce:thunar:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFE279F7-C6F4-4D5D-98A0-6786253DFE3C", "versionEndExcluding": "4.16.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:xfce:thunar:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C50E9C4-30D6-465A-AD74-07074B15B861", "versionEndExcluding": "4.17.2", "versionStartIncluding": "4.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Thunar versiones anteriores a 4.16.7 y versiones 4.17.x anteriores a 4.17.2. Cuando es llamado con un archivo normal como argumento de l\u00ednea de comandos, es delegado en un programa diferente (seg\u00fan el tipo de archivo) sin la confirmaci\u00f3n del usuario. Esto podr\u00eda ser usado para lograr una ejecuci\u00f3n de c\u00f3digo"}], "id": "CVE-2021-32563", "lastModified": "2024-11-21T06:07:16.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-05-11T05:15:07.217", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/11/3"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/2"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://gitlab.xfce.org/xfce/thunar/-/tags"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/05/09/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/05/11/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/01/05/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://gitlab.xfce.org/xfce/thunar/-/tags"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2021/05/09/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-913"}], "source": "nvd@nist.gov", "type": "Primary"}]}