Vulnerability Details CVE-2017-16667
backintime (aka Back in Time) before 1.1.24 did improper escaping/quoting of file paths used as arguments to the 'notify-send' command, leading to some parts of file paths being executed as shell commands within an os.system call in qt4/plugins/notifyplugin.py. This could allow an attacker to craft an unreadable file with a specific name to run arbitrary shell commands.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 42.1%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 9.3
References
- https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3
- https://github.com/bit-team/backintime/issues/834
- https://github.com/bit-team/backintime/releases/tag/v1.1.24
- https://security.gentoo.org/glsa/201801-06
- https://github.com/bit-team/backintime/commit/cef81d0da93ff601252607df3db1a48f7f6f01b3
- https://github.com/bit-team/backintime/issues/834
- https://github.com/bit-team/backintime/releases/tag/v1.1.24
- https://security.gentoo.org/glsa/201801-06
Products affected by CVE-2017-16667
-
cpe:2.3:a:backintime_project:backintime:0.7.4
-
cpe:2.3:a:backintime_project:backintime:0.8.0
-
cpe:2.3:a:backintime_project:backintime:0.8.12
-
cpe:2.3:a:backintime_project:backintime:0.8.14
-
cpe:2.3:a:backintime_project:backintime:0.8.16
-
cpe:2.3:a:backintime_project:backintime:0.8.18
-
cpe:2.3:a:backintime_project:backintime:0.8.20
-
cpe:2.3:a:backintime_project:backintime:0.8.8
-
cpe:2.3:a:backintime_project:backintime:0.9.0
-
cpe:2.3:a:backintime_project:backintime:0.9.10
-
cpe:2.3:a:backintime_project:backintime:0.9.12
-
cpe:2.3:a:backintime_project:backintime:0.9.14
-
cpe:2.3:a:backintime_project:backintime:0.9.16
-
cpe:2.3:a:backintime_project:backintime:0.9.18
-
cpe:2.3:a:backintime_project:backintime:0.9.2
-
cpe:2.3:a:backintime_project:backintime:0.9.20
-
cpe:2.3:a:backintime_project:backintime:0.9.22
-
cpe:2.3:a:backintime_project:backintime:0.9.24
-
cpe:2.3:a:backintime_project:backintime:0.9.26
-
cpe:2.3:a:backintime_project:backintime:0.9.4
-
cpe:2.3:a:backintime_project:backintime:0.9.6
-
cpe:2.3:a:backintime_project:backintime:0.9.8
-
cpe:2.3:a:backintime_project:backintime:1.0.0
-
cpe:2.3:a:backintime_project:backintime:1.0.12
-
cpe:2.3:a:backintime_project:backintime:1.0.14
-
cpe:2.3:a:backintime_project:backintime:1.0.16
-
cpe:2.3:a:backintime_project:backintime:1.0.18
-
cpe:2.3:a:backintime_project:backintime:1.0.2
-
cpe:2.3:a:backintime_project:backintime:1.0.20
-
cpe:2.3:a:backintime_project:backintime:1.0.24
-
cpe:2.3:a:backintime_project:backintime:1.0.28
-
cpe:2.3:a:backintime_project:backintime:1.0.30
-
cpe:2.3:a:backintime_project:backintime:1.0.36
-
cpe:2.3:a:backintime_project:backintime:1.0.38
-
cpe:2.3:a:backintime_project:backintime:1.0.4
-
cpe:2.3:a:backintime_project:backintime:1.0.40
-
cpe:2.3:a:backintime_project:backintime:1.0.6
-
cpe:2.3:a:backintime_project:backintime:1.1.0
-
cpe:2.3:a:backintime_project:backintime:1.1.10
-
cpe:2.3:a:backintime_project:backintime:1.1.12
-
cpe:2.3:a:backintime_project:backintime:1.1.14
-
cpe:2.3:a:backintime_project:backintime:1.1.16
-
cpe:2.3:a:backintime_project:backintime:1.1.18
-
cpe:2.3:a:backintime_project:backintime:1.1.2
-
cpe:2.3:a:backintime_project:backintime:1.1.20
-
cpe:2.3:a:backintime_project:backintime:1.1.22
-
cpe:2.3:a:backintime_project:backintime:1.1.4
-
cpe:2.3:a:backintime_project:backintime:1.1.6
-
cpe:2.3:a:backintime_project:backintime:1.1.8