CVE-2021-33477
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-33477
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-33477.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-33477
- Downstream
- Related
- Published
- 2021-05-20T20:15:07.397Z
- Modified
- 2025-11-14T11:57:35.289442Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.
- References
-
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AO52OLNOOKOCZSJCN3R7Q25XA32BWNWP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUV4LDVZVW7KCGPAMFZD4ZJ4FVLPOX4C/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZWGE2RJONBEHSPCBUAW72NTRTIFKZAX/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLPVEPBH37EBR4R54RMC6GD33J37HJXD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/
- https://sourceforge.net/projects/materm/files/mrxvt%20source/
- https://sourceforge.net/projects/rxvt/files/rxvt-dev/
- http://cvs.schmorp.de/rxvt-unicode/Changes?view=log
- http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583
- https://git.enlightenment.org/apps/eterm.git/log/
- https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html
- https://packetstormsecurity.com/files/162621/rxvt-2.7.0-rxvt-unicode-9.22-Code-Execution.html
- https://security.gentoo.org/glsa/202105-17
- https://security.gentoo.org/glsa/202209-07
- https://www.openwall.com/lists/oss-security/2017/05/01/20
- https://www.openwall.com/lists/oss-security/2021/05/17/1
Affected packages
Git / github.com/exg/rxvt-unicode
Affected ranges
- Type
- GIT
- Repo
- https://github.com/exg/rxvt-unicode
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affected
Affected versions
rxvt-unicode-1.*
rxvt-unicode-1.2
rxvt-unicode-1.3
rxvt-unicode-1.9
rxvt-unicode-2.*
rxvt-unicode-2.0
rxvt-unicode-2.1
rxvt-unicode-2.2
rxvt-unicode-2.3
rxvt-unicode-2.4
rxvt-unicode-2.5
rxvt-unicode-2.7
rxvt-unicode-2.8
rxvt-unicode-3.*
rxvt-unicode-3.0
rxvt-unicode-3.2
rxvt-unicode-3.3
rxvt-unicode-3.4
rxvt-unicode-3.5
rxvt-unicode-3.6
rxvt-unicode-3.7
rxvt-unicode-3.8
rxvt-unicode-4.*
rxvt-unicode-4.0
rxvt-unicode-4.1
rxvt-unicode-4.2
rxvt-unicode-4.3
rxvt-unicode-4.4
rxvt-unicode-4.6
rxvt-unicode-4.7
rxvt-unicode-4.8
rxvt-unicode-4.9
rxvt-unicode-5.*
rxvt-unicode-5.0
rxvt-unicode-5.1
rxvt-unicode-5.2
rxvt-unicode-5.3
rxvt-unicode-5.4
rxvt-unicode-5.5
rxvt-unicode-5.7
rxvt-unicode-5.8
rxvt-unicode-5.9
rxvt-unicode-6.*
rxvt-unicode-6.0
rxvt-unicode-6.1
rxvt-unicode-6.2
rxvt-unicode-6.3
rxvt-unicode-7.*
rxvt-unicode-7.0
rxvt-unicode-7.1
rxvt-unicode-7.2
rxvt-unicode-7.3
rxvt-unicode-7.3a
rxvt-unicode-7.4
rxvt-unicode-7.5
rxvt-unicode-7.6
rxvt-unicode-7.7
rxvt-unicode-7.8
rxvt-unicode-7.9
rxvt-unicode-8.*
rxvt-unicode-8.0
rxvt-unicode-8.1
rxvt-unicode-8.2
rxvt-unicode-8.3
rxvt-unicode-8.4
rxvt-unicode-8.5a
rxvt-unicode-8.6
rxvt-unicode-8.7
rxvt-unicode-8.8
rxvt-unicode-8.9
rxvt-unicode-9.*
rxvt-unicode-9.0
rxvt-unicode-9.01
rxvt-unicode-9.02
rxvt-unicode-9.05
rxvt-unicode-9.06
rxvt-unicode-9.07
rxvt-unicode-9.09
rxvt-unicode-9.10
rxvt-unicode-9.11
rxvt-unicode-9.12
rxvt-unicode-9.14
rxvt-unicode-9.15
rxvt-unicode-9.16
rxvt-unicode-9.17
rxvt-unicode-9.18
rxvt-unicode-9.19
rxvt-unicode-9.20
rxvt-unicode-9.21
rxvt-unicode-9.22