Vulnerability Description
Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. This is a file overwrite vulnerability. Remote code execution (RCE) can be achieved by overwriting files like .bash_rc, .bash_login, etc. RCE will be triggered when the user opens the terminal. Version 6.0.7 contains a patch for the issue.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Deepin | Deepin Reader | < 6.0.7 |
Related Weaknesses (CWE)
References
- https://github.com/linuxdeepin/deepin-reader/commit/4db7a079fb7bd77257b1b9208a7aPatch
- https://github.com/linuxdeepin/deepin-reader/commit/c192fd20a2fe4003e0581c316448Patch
- https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-q9jr-72ExploitVendor Advisory
- https://github.com/linuxdeepin/deepin-reader/commit/4db7a079fb7bd77257b1b9208a7aPatch
- https://github.com/linuxdeepin/deepin-reader/commit/c192fd20a2fe4003e0581c316448Patch
- https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-q9jr-72ExploitVendor Advisory
FAQ
What is CVE-2023-50254?
CVE-2023-50254 is a vulnerability with a CVSS score of 9.3 (CRITICAL). Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted ...
How severe is CVE-2023-50254?
CVE-2023-50254 has been rated CRITICAL with a CVSS base score of 9.3/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-50254?
Check the references section above for vendor advisories and patch information. Affected products include: Deepin Deepin Reader.