Bug 1195119 - (CVE-2021-45844) VUL-0: CVE-2021-45844: FreeCAD: Improper sanitization in the invocation of ODA File Converter allows an attacker to inject OS commands via a crafted filename.
(CVE-2021-45844)
VUL-0: CVE-2021-45844: FreeCAD: Improper sanitization in the invocation of OD...
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Minor (vote)
: ---
Assigned To: Adrian Schröter
Security Team bot
https://smash.suse.de/issue/321685/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-26 08:15 UTC by Robert Frohl
Modified: 2022-01-26 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-01-26 08:15:39 UTC
CVE-2021-45844

Improper sanitization in the invocation of ODA File Converter from FreeCAD 0.19
allows an attacker to inject OS commands via a crafted filename.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45844
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45844
https://tracker.freecad.org/view.php?id=4809
https://forum.freecadweb.org/viewtopic.php?t=64733
Comment 1 Robert Frohl 2022-01-26 08:39:15 UTC
all versions are affected including 0.19.3, fix [0] not part of any version yet.

[0] https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6
Comment 2 Robert Frohl 2022-01-26 08:42:47 UTC
relevant for Factory too