CVE-2023-35174 – livebook

Package

Manager: erlang
Name: livebook
Vulnerable Version: >=0.8.0 <0.8.2 || >=0.9.0 <0.9.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00463 pctl0.6333

Details

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.

Metadata

Created: 2023-06-21T22:07:37Z
Modified: 2023-06-22T17:26:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-564w-97r7-c6p9/GHSA-564w-97r7-c6p9.json
CWE IDs: ["CWE-78"]
Alternative ID: GHSA-564w-97r7-c6p9
Finding: F004
Auto approve: 1