Fluid Attacks Database

Description

Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9
debian 11	jython	=2.7.2+repack1-3 \|\| =2.7.2+repack1-4 \|\| =2.7.2+repack1-5 \|\| =2.7.3+repack1-1
debian 12	jython	=2.7.3+repack1-1
debian 13	jython	=2.7.3+repack1-1
debian 14	jython	=2.7.3+repack1-1

Aliases

1. CVE-2017-175222. NVD-2017-175223. OSV-DEBIAN-2017-175224. OSV-2017-175225. SECURITY-TRACKER-CVE-2017-17522

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.