VDB
CVE-2017-17513
CVE-2017-17513
PUBLISHED
TeX Live through 20170524 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL, related to linked_scripts/context/stubs/unix/mtxrun, texmf-dist/scripts/context/stubs/mswin/mtxrun.lua, and texmf-dist/tex/luatex/lualibs/lualibs-os.lua.
EPSS 0.51% · 66.7th percentile
Risk Scores
EPSS Score
0.51%
66.7th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | texlive-bin | 2017.20170613.44572-6, 0, 2017.20170613.44572-8ubuntu0.2 |
| Ubuntu:18.04:LTS | texlive-base | 2017.20171128-1, 2017.20180305-1, 2017.20171031-1 |
| Ubuntu:25.10 | texlive-base | 2024.20250309-1, 0 |
| Ubuntu:Pro:20.04:LTS | texlive-bin | 2019.20190605.51237-3ubuntu0.2, 2019.20190605.51237-2build1, 2019.20190605.51237-3 |
| Ubuntu:20.04:LTS | context | 2019.03.21.20190425-2, 0 |
| Ubuntu:16.04:LTS | context | 0, 2015.05.18.20150601-2 |
| Ubuntu:24.04:LTS | context | *, 0, 2021.03.05.20230120+dfsg-2 |
| Ubuntu:20.04:LTS | texlive-base | 2019.20200218-1, 2019.20191112-1, 2019.20191208-4 |
| Ubuntu:24.04:LTS | texlive-bin | 2023.20230311.66589-6, 2023.20230311.66589-8, 2023.20230311.66589-8build1 |
| Ubuntu:18.04:LTS | context | 2017.05.15.20170613-2, 0 |
| Ubuntu:24.04:LTS | texlive-base | 2023.20231007-1, 0, 2023.20240207-1 |
| Ubuntu:22.04:LTS | texlive-bin | 0, 2021.20210626.59705-1build1, 2021.20210626.59705-1 |
| Ubuntu:22.04:LTS | texlive-base | 0, 2020.20210202-3, 2021.20211127-1 |
| Ubuntu:16.04:LTS | texlive-base | 2015.20151116-1ubuntu1, 2015.20160117-1, 2015.20150625-1ubuntu1 |
| Ubuntu:Pro:16.04:LTS | texlive-bin | 0, 2015.20150524.37493-7, 2015.20150524.37493-5build1 |
| Ubuntu:22.04:LTS | context | 0, 2020.03.10.20200331-1, 2021.03.05.20220211-1 |
| Ubuntu:25.10 | texlive-bin | 0, 2024.20240313.70630+ds-6ubuntu2, 2024.20240313.70630+ds-6 |
| Ubuntu:25.10 | context | 0, 2024.04.01.20240428+dfsg-2 |
Exploit Intelligence
Timeline
- Dec 14, 2017 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- May 2, 2022 EPSS Score
- May 14, 2022 CVE Updated
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2017-17513 third-party-advisory
- https://sources.debian.org/src/texlive-base/2017.20171128-1/texmf-dist/tex/luatex/lualibs/lualibs-os.lua/#L153 third-party-advisory
- https://sources.debian.org/src/texlive-bin/2016.20160513.41080.dfsg-2/texk/texlive/linked_scripts/context/stubs/unix/mtxrun/#L3004 third-party-advisory
- https://sources.debian.org/src/context/2017.05.15.20170613-2/texmf-dist/scripts/context/stubs/mswin/mtxrun.lua/?hl=3424#L3424 third-party-advisory
- https://security-tracker.debian.org/tracker/CVE-2017-17513 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2017-17513 third-party-advisory