Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

On Windows, it is possible to open a livebook:// link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine.

Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.

Permalink: https://github.com/advisories/GHSA-564w-97r7-c6p9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

EPSS Percentage: 0.00437
EPSS Percentile: 0.75501

Identifiers: GHSA-564w-97r7-c6p9, CVE-2023-35174
References: Repository: https://github.com/livebook-dev/livebook
Blast Radius: 9.6

Affected Packages

hex:livebook
Dependent packages: 2
Dependent repositories: 13
Downloads: 112,972 total
Affected Version Ranges: >= 0.9.0, < 0.9.3, >= 0.8.0, < 0.8.2
Fixed in: 0.9.3, 0.8.2
All affected versions: 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.8.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5