CVE-2017-8799

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-8799
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8799.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-8799
Published
2017-05-05T18:29:00.557Z
Modified
2026-04-10T04:01:43.471031Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Untrusted input execution via igetwild in all iRODS versions before 4.1.11 and 4.2.1 allows other iRODS users (potentially anonymous) to execute remote shell commands via iRODS virtual pathnames. To exploit this vulnerability, a virtual iRODS pathname that includes a semicolon would be retrieved via igetwild. Because igetwild is a Bash script, the part of the pathname following the semicolon would be executed in the user's shell.

References

Affected packages

Git / github.com/irods/irods

Affected ranges

Type
GIT
Repo
https://github.com/irods/irods
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
bb48cd38c4a543ad8bf45082fa06b15290378b50
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
f9c8c99c1188f92bc109da46f1eb2ca9e9ad9e04
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.1.10"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.2.0"
        }
    ]
}

Affected versions

3.*
3.0
3.0.1b1
3.0b1
3.0b2
3.0b3
4.*
4.0.0
4.0.1
4.0.2
4.0.3
4.1.0
4.1.1
4.1.10
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6
4.1.7
4.1.8
4.1.9
4.2.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-8799.json"