VDB
CVE-2019-14745
CVE-2019-14745
PUBLISHED
In radare2 before 3.7.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to improper handling of symbol names embedded in executables.
EPSS 4.67% · 89.5th percentile
Risk Scores
EPSS Score
4.67%
89.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | radare2 | 0.9.6-3.1ubuntu1, 0 |
| Ubuntu:Pro:24.04:LTS | radare2 | 5.5.0+dfsg-1.1ubuntu2, *, 0 |
| Ubuntu:25.10 | radare2 | 0, 5.9.8+dfsg-2, 5.9.8+dfsg-2ubuntu0.25.10.1 |
| Ubuntu:Pro:18.04:LTS | radare2 | 2.0.0+dfsg-1, 2.3.0+dfsg-1, 2.3.0+dfsg-2 |
| Ubuntu:Pro:20.04:LTS | radare2 | 0, *, 4.2.1+dfsg-2ubuntu0.1~esm1 |
Timeline
- Aug 7, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Oct 25, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 27, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Jan 7, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- May 12, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-14745 third-party-advisory
- https://github.com/radare/radare2/pull/14690 third-party-advisory
- https://bananamafia.dev/post/r2-pwndebian/ third-party-advisory
- https://github.com/radare/radare2/releases/tag/3.7.0 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-14745 third-party-advisory