Strix
26.1K

CVE-2017-9333

UnknownEPSS 2.27%

Last modified

CVE-2017-9333 is a vulnerability of currently unknown severity. OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger CallOPKG calls, and these users can enter an arbitrary URL in an input field, even though that input field was only intended for a package name. EPSS estimates a 2.27% chance of exploitation in the next 30 days.

Description

OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger CallOPKG calls, and these users can enter an arbitrary URL in an input field, even though that input field was only intended for a package name. This threat model may be relevant in the latest versions of third-party products that bundle OpenWebif, i.e., set-top box products. The issue of Trojan horse packages does NOT have security implications in cases where the attacker has full OpenWebif access.

Metrics

EPSS Probability
2.27%

80.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Openwebif ProjectOpenwebif1.2.5

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2017-9333?
OpenWebif 1.2.5 allows remote code execution via a URL to the CallOPKG function in the IpkgController class in plugin/controllers/ipkg.py, when the URL refers to an attacker-controlled web site with a Trojan horse package. This has security implications in cases where untrusted users can trigger CallOPKG calls, and these users can enter an arbitrary URL in an input field, even though that input field was only intended for a package name. This threat model may be relevant in the latest versions of third-party products that bundle OpenWebif, i.e., set-top box products. The issue of Trojan horse packages does NOT have security implications in cases where the attacker has full OpenWebif access.
How severe is CVE-2017-9333?
Severity scoring for CVE-2017-9333 is pending analysis. The EPSS model estimates a 2.27% probability of exploitation in the next 30 days.
How do I fix CVE-2017-9333?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2017-9333?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST