OS Command Injection Affecting shadowsocks-libev package, versions <3.1.0+ds-2


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment

    Threat Intelligence

    EPSS
    0.1% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN11-SHADOWSOCKSLIBEV-531783
  • published 27 Oct 2017
  • disclosed 27 Oct 2017

How to fix?

Upgrade Debian:11 shadowsocks-libev to version 3.1.0+ds-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadowsocks-libev package and not the shadowsocks-libev package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.