Published: 17 June 2017
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
CVSS 3 base score: 9.8
Launchpad, Ubuntu, Debian
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 ESM (Xenial Xerus)||
(code not present)
|Ubuntu 14.04 ESM (Trusty Tahr)||
Does not exist
(trusty was not-affected [code not present])
The patches look like this is a simple black-list functionality but doesn't black-list $() or `` or <() or any other number of shell metacharacters. I expect this is still broken and should use a whitelist of a-z0-9_-.
"SPIP 3.0.x and earlier versions are not affected by this issue."