CVE-2021-41146 Information
Description
qutebrowser is an open source keyboard-focused browser with a minimal GUI. Starting with qutebrowser v1.7.0 the Windows installer for qutebrowser registers a qutebrowserurl: URL handler. With certain applications opening a specially crafted qutebrowserurl:... URL can lead to execution of qutebrowser commands which in turn allows arbitrary code execution via commands such as :spawn or :debug-pyeval. Only Windows installs where qutebrowser is registered as URL handler are affected. The issue has been fixed in qutebrowser v2.4.0. The fix also adds additional hardening for potential similar issues on Linux (by adding the new –untrusted-args flag to the .desktop file) though no such vulnerabilities are known.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Reference
https://github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
https://github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430
qutebrowser
is
an
open
source
keyboard-focused
browser
with
a
minimal
GUI.
Starting
with
qutebrowser
v1.7.0
the
Windows
installer
for
qutebrowser
registers
a
qutebrowserurl:
URL
handler.
With
certain
applications
opening
a
specially
crafted
qutebrowserurl:...
URL
can
lead
to
execution
of
qutebrowser
commands
which
in
turn
allows
arbitrary
code
execution
via
commands
such
as
:spawn
or
:debug-pyeval.
Only
Windows
installs
where
qutebrowser
is
registered
as
URL
handler
are
affected.
The
issue
has
been
fixed
in
qutebrowser
v2.4.0.
The
fix
also
adds
additional
hardening
for
potential
similar
issues
on
Linux
(by
adding
the
new
–untrusted-args
flag
to
the
.desktop
file)
though
no
such
vulnerabilities
are
known.
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
REQUIRED
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: