Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c
Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows
On Windows, it is possible to open a livebook://
link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine.
Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.
Permalink: https://github.com/advisories/GHSA-564w-97r7-c6p9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Percentage: 0.00437
EPSS Percentile: 0.75501
Identifiers: GHSA-564w-97r7-c6p9, CVE-2023-35174
References:
- https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9
- https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1
- https://github.com/livebook-dev/livebook/commit/beb10daaadcc765f0380e436bd7cd5f74cf086c8
- https://github.com/livebook-dev/livebook/releases/tag/v0.8.2
- https://github.com/livebook-dev/livebook/releases/tag/v0.9.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-35174
- https://github.com/advisories/GHSA-564w-97r7-c6p9
Blast Radius: 9.6
Affected Packages
hex:livebook
Dependent packages: 2Dependent repositories: 13
Downloads: 112,972 total
Affected Version Ranges: >= 0.9.0, < 0.9.3, >= 0.8.0, < 0.8.2
Fixed in: 0.9.3, 0.8.2
All affected versions: 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.8.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.14.4, 0.14.5