Your submission was sent successfully! Close

CVE-2017-15924

Published: 27 October 2017

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.

Priority

Medium

CVSS 3 base score: 7.8

Status

Package Release Status
shadowsocks-libev
Launchpad, Ubuntu, Debian
Upstream
Released (3.1.0+ds-2)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(3.1.3+ds-1ubuntu2)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Other: https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3