CVE-2020-9359

NameCVE-2020-9359
DescriptionKDE Okular before 1.10.0 allows code execution via an action link in a PDF document.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2159-1
NVD severitymedium
Debian Bugs954891

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
okular (PTS)stretch (security), stretch4:16.08.2-1+deb9u1vulnerable
buster4:17.12.2-2.2vulnerable
bullseye, sid4:20.08.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
okularsourcejessie4:4.14.2-2+deb8u2DLA-2159-1
okularsource(unstable)4:19.12.3-2954891

Notes

[buster] - okular <no-dsa> (Minor issue, will be fixed via point update)
[stretch] - okular <no-dsa> (Minor issue)
https://invent.kde.org/kde/okular/-/commit/6a93a033b4f9248b3cd4d04689b8391df754e244
https://kde.org/info/security/advisory-20200312-1.txt
https://sysdream.com/news/lab/2020-03-24-cve-2020-9359-okular-command-execution/ (PoC)

Search for package or bug name: Reporting problems