CVE-2021-41146: Arbitrary command execution on Windows via qutebrowserurl: URL handler
(updated )
Starting with qutebrowser v1.7.0, the Windows installer for qutebrowser registers it as a handler for certain URL schemes. With some applications such as Outlook Desktop, opening a specially crafted URL can lead to argument injection, allowing execution of qutebrowser commands, which in turn allows arbitrary code execution via commands such as :spawn or :debug-pyeval.
Only Windows installs where qutebrowser is registered as URL handler are affected. It does not have to be set as default browser for the exploit to work.
References
- github.com/advisories/GHSA-vw27-fwjf-5qxm
- github.com/pypa/advisory-database/tree/main/vulns/qutebrowser/PYSEC-2021-382.yaml
- github.com/qutebrowser/qutebrowser
- github.com/qutebrowser/qutebrowser/commit/8f46ba3f6dc7b18375f7aa63c48a1fe461190430
- github.com/qutebrowser/qutebrowser/security/advisories/GHSA-vw27-fwjf-5qxm
- nvd.nist.gov/vuln/detail/CVE-2021-41146
Detect and mitigate CVE-2021-41146 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →