Fluid Attacks Database

Description

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	shadowsocks-libev	>=0 <3.1.0+ds-2	3.1.0+ds-2
debian 13	shadowsocks-libev	>=0 <3.1.0+ds-2	3.1.0+ds-2
debian 11	shadowsocks-libev	>=0 <3.1.0+ds-2	3.1.0+ds-2
debian 12	shadowsocks-libev	>=0 <3.1.0+ds-2	3.1.0+ds-2

Aliases

1. CVE-2017-159242. NVD-2017-159243. OSV-DEBIAN-2017-159244. OSV-2017-159245. SECURITY-TRACKER-CVE-2017-15924

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.