CVE-2017-17522

NameCVE-2017-17522
DescriptionLib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jython (PTS)jessie, jessie (lts)2.5.3-3+deb8u1vulnerable
stretch (security), stretch (lts), stretch2.5.3-16+deb9u1vulnerable
buster2.7.1+repack1-4~deb10u1vulnerable
bullseye2.7.2+repack1-3vulnerable
sid, trixie, bookworm2.7.3+repack1-1vulnerable
python2.7 (PTS)jessie, jessie (lts)2.7.9-2-ds1-1+deb8u12vulnerable
stretch (security)2.7.13-2+deb9u6vulnerable
stretch (lts), stretch2.7.13-2+deb9u9vulnerable
buster (security), buster, buster (lts)2.7.16-2+deb10u4vulnerable
bullseye2.7.18-8+deb11u1vulnerable
python3.4 (PTS)jessie, jessie (lts)3.4.2-1+deb8u18vulnerable
python3.5 (PTS)stretch (security)3.5.3-1+deb9u5vulnerable
stretch (lts), stretch3.5.3-1+deb9u10vulnerable
python3.7 (PTS)buster, buster (lts)3.7.3-2+deb10u8vulnerable
buster (security)3.7.3-2+deb10u7vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jythonsourcewheezy(not affected)
jythonsource(unstable)(unfixed)unimportant
python2.6source(unstable)(unfixed)unimportant
python2.7source(unstable)(unfixed)unimportant
python3.2source(unstable)(unfixed)unimportant
python3.4source(unstable)(unfixed)unimportant
python3.5source(unstable)(unfixed)unimportant
python3.6source(unstable)(unfixed)unimportant
python3.7source(unstable)(unfixed)unimportant

Notes

[wheezy] - jython <not-affected> (Vulnerable code is not provided in the binary package)
Lib/webbrowser.py does not validate strings before launching the program
specified by the BROWSER environment variable.
https://bugs.python.org/issue32367
Hardly an issue with security impact, as the problematic code further relies
on subprocess.Popen with the default shell=False.

Search for package or bug name: Reporting problems