Vulnerability Description
In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Iterm2 | Iterm2 | >= 3.5.0, < 3.5.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2024/06/17/1Mailing ListThird Party Advisory
- https://gitlab.com/gnachman/iterm2/-/commit/f1e89f78dd72dcac3ba66d3d6f93db3f7f64Patch
- https://gitlab.com/gnachman/iterm2/-/tags/v3.5.2Release Notes
- https://iterm2.com/downloads.htmlProduct
- https://www.openwall.com/lists/oss-security/2024/06/15/1Mailing List
- http://www.openwall.com/lists/oss-security/2024/06/17/1Mailing ListThird Party Advisory
- https://gitlab.com/gnachman/iterm2/-/commit/f1e89f78dd72dcac3ba66d3d6f93db3f7f64Patch
- https://gitlab.com/gnachman/iterm2/-/tags/v3.5.2Release Notes
- https://iterm2.com/downloads.htmlProduct
- https://www.openwall.com/lists/oss-security/2024/06/15/1Mailing List
FAQ
What is CVE-2024-38395?
CVE-2024-38395 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable."
How severe is CVE-2024-38395?
CVE-2024-38395 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2024-38395?
Check the references section above for vendor advisories and patch information. Affected products include: Iterm2 Iterm2.