Unrated severityNVD Advisory· Published Jul 20, 2020· Updated Aug 4, 2024

Command injection in Radare2

CVE-2020-15121

Description

In radare2 before version 4.5.0, malformed PDB file names in the PDB server path cause shell injection. To trigger the problem it's required to open the executable in radare2 and run idpd to trigger the download. The shell code will execute, and will create a file called pwned in the current directory.

Affected products

Radareorg/Radare2v5
Range: < 4.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MWC7KNBETYE5MK6VIUU26LUIISIFGSBZ/mitrevendor-advisoryx_refsource_FEDORA
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YE77P5RSE2T7JHEKMWF2ARTSJGMPXCFY/mitrevendor-advisoryx_refsource_FEDORA
github.com/radareorg/radare2/commit/04edfa82c1f3fa2bc3621ccdad2f93bdbf00e4f9mitrex_refsource_MISC
github.com/radareorg/radare2/issues/16945mitrex_refsource_MISC
github.com/radareorg/radare2/pull/16966mitrex_refsource_MISC
github.com/radareorg/radare2/security/advisories/GHSA-r552-vp94-9358mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000