CVE-2016-10243 Information

Feb 14, 2021 cve

Description

TeX Live allows remote attackers to execute arbitrary commands by leveraging inclusion of mpost in shell_escape_commands in the texmf.cnf config file.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.debian.org/security/2017/dsa-3803 http://www.openwall.com/lists/oss-security/2017/03/05/1 http://www.securityfocus.com/bid/96593 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B7CNJ4HKX7X6V7VMN3UCU7KPY6IX4XRB/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL6PUKPWEXYIPIAZRIX5ZLQWCSALVLFP/ https://scumjr.github.io/2016/11/28/pwning-coworkers-thanks-to-latex/ https://security.gentoo.org/glsa/201709-07 https://www.tug.org/svn/texlive?view=revision&revision=42605

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: