CVE-2017-17520

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2017-17520

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-17520.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-17520

Published

2017-12-14T16:29:00Z

Modified

2025-07-03T02:07:51.452459Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

tools/urlhandler.pl in TIN 2.4.1 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a third party has reported that this is intentional behavior, because the documentation states "urlhandler.pl was designed to work together with tin which only issues shell escaped absolute URLs.

References

https://security-tracker.debian.org/tracker/CVE-2017-17520

Affected packages

Debian:11 / tin

Package

Name: tin
Purl: pkg:deb/debian/tin?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.4.5-1

1:2.4.6~20210225-1

1:2.6.0-1

1:2.6.1~20211026-1

1:2.6.1-1

1:2.6.2~20220129-1

1:2.6.2~20220318-1

1:2.6.2~20220503-1

1:2.6.2~20221013-1

1:2.6.2~20221031-1

1:2.6.2-1

1:2.6.3~20230505-1

1:2.6.3~20230707-1

1:2.6.3~20230803-1

1:2.6.3~20231002-1

1:2.6.3~20231106-1

1:2.6.3~20231106-2

1:2.6.3~20231201-1

1:2.6.3-1

1:2.6.4~20240224-1

1:2.6.4~20240328-1

1:2.6.4~20240328-2

1:2.6.4~20240430-1

1:2.6.4~20240531-1

1:2.6.4~20240704-1

1:2.6.4~20240801-1

1:2.6.4~20240917-1

1:2.6.4~20241019-1

1:2.6.4~20241109-1

1:2.6.4~20241109-2

1:2.6.4~20241128-1

1:2.6.4-1

1:2.6.5~20250209-1

1:2.6.5~20250309-1

1:2.6.5~20250309-2

1:2.6.5~20250409-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / tin

Package

Name: tin
Purl: pkg:deb/debian/tin?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.6.2-1

1:2.6.3~20230505-1

1:2.6.3~20230707-1

1:2.6.3~20230803-1

1:2.6.3~20231002-1

1:2.6.3~20231106-1

1:2.6.3~20231106-2

1:2.6.3~20231201-1

1:2.6.3-1

1:2.6.4~20240224-1

1:2.6.4~20240328-1

1:2.6.4~20240328-2

1:2.6.4~20240430-1

1:2.6.4~20240531-1

1:2.6.4~20240704-1

1:2.6.4~20240801-1

1:2.6.4~20240917-1

1:2.6.4~20241019-1

1:2.6.4~20241109-1

1:2.6.4~20241109-2

1:2.6.4~20241128-1

1:2.6.4-1

1:2.6.5~20250209-1

1:2.6.5~20250309-1

1:2.6.5~20250309-2

1:2.6.5~20250409-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / tin

Package

Name: tin
Purl: pkg:deb/debian/tin?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1:2.*

1:2.6.2-1

1:2.6.3~20230505-1

1:2.6.3~20230707-1

1:2.6.3~20230803-1

1:2.6.3~20231002-1

1:2.6.3~20231106-1

1:2.6.3~20231106-2

1:2.6.3~20231201-1

1:2.6.3-1

1:2.6.4~20240224-1

1:2.6.4~20240328-1

1:2.6.4~20240328-2

1:2.6.4~20240430-1

1:2.6.4~20240531-1

1:2.6.4~20240704-1

1:2.6.4~20240801-1

1:2.6.4~20240917-1

1:2.6.4~20241019-1

1:2.6.4~20241109-1

1:2.6.4~20241109-2

1:2.6.4~20241128-1

1:2.6.4-1

1:2.6.5~20250209-1

1:2.6.5~20250309-1

1:2.6.5~20250309-2

1:2.6.5~20250409-1

Ecosystem specific

{
    "urgency": "unimportant"
}