Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c
Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows
On Windows, it is possible to open a livebook://
link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine.
Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.
Permalink: https://github.com/advisories/GHSA-564w-97r7-c6p9JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NjR3LTk3cjctYzZwOc4AAz-c
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 11 months ago
Updated: 6 months ago
CVSS Score: 8.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Identifiers: GHSA-564w-97r7-c6p9, CVE-2023-35174
References:
- https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9
- https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1
- https://github.com/livebook-dev/livebook/commit/beb10daaadcc765f0380e436bd7cd5f74cf086c8
- https://github.com/livebook-dev/livebook/releases/tag/v0.8.2
- https://github.com/livebook-dev/livebook/releases/tag/v0.9.3
- https://nvd.nist.gov/vuln/detail/CVE-2023-35174
- https://github.com/advisories/GHSA-564w-97r7-c6p9
Blast Radius: 9.6
Affected Packages
hex:livebook
Dependent packages: 2Dependent repositories: 13
Downloads: 91,389 total
Affected Version Ranges: >= 0.9.0, < 0.9.3, >= 0.8.0, < 0.8.2
Fixed in: 0.9.3, 0.8.2
All affected versions: 0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2
All unaffected versions: 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.3.0, 0.3.1, 0.3.2, 0.4.0, 0.4.1, 0.5.0, 0.5.1, 0.5.2, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.1, 0.7.2, 0.8.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.12.0, 0.12.1