CVE-2017-14500

Source
https://cve.org/CVERecord?id=CVE-2017-14500
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14500.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-14500
Downstream
Published
2017-09-17T05:29:00.193Z
Modified
2026-07-08T12:05:29.770611Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.

References

Affected packages

Git / github.com/akrennmair/newsbeuter

Affected ranges

Type
GIT
Repo
https://github.com/akrennmair/newsbeuter
Events
Database specific
{
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": [
        "cpe:2.3:a:newsbeuter:newsbeuter:0.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.6:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.8.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.8.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.9:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:0.9.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:1.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:1.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:1.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.1:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.2:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.3:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.4:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.5:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.6:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.7:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.8:*:*:*:*:*:*:*",
        "cpe:2.3:a:newsbeuter:newsbeuter:2.9:*:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0.3"
        },
        {
            "last_affected": "0.3"
        },
        {
            "introduced": "0.4"
        },
        {
            "last_affected": "0.4"
        },
        {
            "introduced": "0.5"
        },
        {
            "last_affected": "0.5"
        },
        {
            "introduced": "0.6"
        },
        {
            "last_affected": "0.6"
        },
        {
            "introduced": "0.7"
        },
        {
            "last_affected": "0.7"
        },
        {
            "introduced": "0.8"
        },
        {
            "last_affected": "0.8"
        },
        {
            "introduced": "0.8.1"
        },
        {
            "last_affected": "0.8.1"
        },
        {
            "introduced": "0.8.2"
        },
        {
            "last_affected": "0.8.2"
        },
        {
            "introduced": "0.9"
        },
        {
            "last_affected": "0.9"
        },
        {
            "introduced": "0.9.1"
        },
        {
            "last_affected": "0.9.1"
        },
        {
            "introduced": "1.0"
        },
        {
            "last_affected": "1.0"
        },
        {
            "introduced": "1.1"
        },
        {
            "last_affected": "1.1"
        },
        {
            "introduced": "1.2"
        },
        {
            "last_affected": "1.2"
        },
        {
            "introduced": "1.3"
        },
        {
            "last_affected": "1.3"
        },
        {
            "introduced": "2.0"
        },
        {
            "last_affected": "2.0"
        },
        {
            "introduced": "2.1"
        },
        {
            "last_affected": "2.1"
        },
        {
            "introduced": "2.2"
        },
        {
            "last_affected": "2.2"
        },
        {
            "introduced": "2.3"
        },
        {
            "last_affected": "2.3"
        },
        {
            "introduced": "2.4"
        },
        {
            "last_affected": "2.4"
        },
        {
            "introduced": "2.5"
        },
        {
            "last_affected": "2.5"
        },
        {
            "introduced": "2.6"
        },
        {
            "last_affected": "2.6"
        },
        {
            "introduced": "2.7"
        },
        {
            "last_affected": "2.7"
        },
        {
            "introduced": "2.8"
        },
        {
            "last_affected": "2.8"
        },
        {
            "introduced": "2.9"
        },
        {
            "last_affected": "2.9"
        }
    ]
}

Affected versions

0.*
0.3
0.4
0.5
0.6
0.7
0.8
0.8.1
0.8.2
0.9
0.9.1
1.*
1.0
1.1
1.2
1.3
2.*
2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9

Database specific

vanir_signatures_modified
"2026-07-08T12:05:29Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14500.json"
vanir_signatures
[
    {
        "id": "CVE-2017-14500-0ba005de",
        "digest": {
            "line_hashes": [
                "122203421145135607605150740415678481744",
                "226326304608593480580444074630309874189",
                "141851851325221400487052087950423918467",
                "126645352107463222030298578303702291104",
                "280107155541152668819977864311526523605",
                "100975989055322441498022819319882045499"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333",
        "deprecated": false,
        "target": {
            "file": "src/pb_controller.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-11cd728b",
        "digest": {
            "function_hash": "297464687269015149749922159851838517057",
            "length": 569.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260",
        "deprecated": false,
        "target": {
            "function": "queueloader::get_filename",
            "file": "src/queueloader.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-1f236f20",
        "digest": {
            "line_hashes": [
                "122203421145135607605150740415678481744",
                "226326304608593480580444074630309874189",
                "141851851325221400487052087950423918467",
                "126645352107463222030298578303702291104",
                "261190887748625915739741040140074181224",
                "72870267390956557907745808987922535707"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260",
        "deprecated": false,
        "target": {
            "file": "src/pb_controller.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-55327ebc",
        "digest": {
            "function_hash": "59995948087546701770999833077024963097",
            "length": 426.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333",
        "deprecated": false,
        "target": {
            "function": "pb_controller::play_file",
            "file": "src/pb_controller.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-993677e3",
        "digest": {
            "function_hash": "325622768065210990364342808000899331722",
            "length": 566.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333",
        "deprecated": false,
        "target": {
            "function": "queueloader::get_filename",
            "file": "src/queueloader.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-a6c43b70",
        "digest": {
            "line_hashes": [
                "28945969528684604269056913412978480261",
                "328591584293568757866463690194581631448",
                "240226559374422634877135290719219586984",
                "111208244330724101130459863208369810773"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260",
        "deprecated": false,
        "target": {
            "file": "src/queueloader.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-a9508c1c",
        "digest": {
            "function_hash": "248584191656778447663072432663244477995",
            "length": 372.0
        },
        "signature_version": "v1",
        "signature_type": "Function",
        "source": "https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260",
        "deprecated": false,
        "target": {
            "function": "pb_controller::play_file",
            "file": "src/pb_controller.cpp"
        }
    },
    {
        "id": "CVE-2017-14500-b1a77817",
        "digest": {
            "line_hashes": [
                "28945969528684604269056913412978480261",
                "328591584293568757866463690194581631448",
                "240226559374422634877135290719219586984",
                "111208244330724101130459863208369810773"
            ],
            "threshold": 0.9
        },
        "signature_version": "v1",
        "signature_type": "Line",
        "source": "https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333",
        "deprecated": false,
        "target": {
            "file": "src/queueloader.cpp"
        }
    }
]