MidnightBSD

Advisories for rxvt-unicode_project

CVE-2021-33477 MEDIUM

rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
fedoraproject fedora 34
rxvt-unicode_project rxvt-unicode 9.22
rxvt_project rxvt 2.7.10
debian debian_linux 9.0
fedoraproject fedora 33
mrxvt_project mrxvt 0.5.4
eterm_project eterm 0.9.7
CVE-2022-4170

The rxvt-unicode package is vulnerable to a remote code execution, in the Perl background extension, when an attacker can control the data written to the user's terminal and certain options are set.

Products Affected

Vendor Product Version
fedoraproject extra_packages_for_enterprise_linux 8.0
rxvt-unicode_project rxvt-unicode 9.25
fedoraproject fedora 37
rxvt-unicode_project rxvt-unicode 9.26