CVE-2021-45844

NameCVE-2021-45844
DescriptionImproper sanitization in the invocation of ODA File Converter from FreeCAD 0.19 allows an attacker to inject OS commands via a crafted filename.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2934-1
NVD severityhigh
Debian Bugs1005747

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
freecad (PTS)stretch0.16+dfsg2-3vulnerable
stretch (security)0.16+dfsg2-3+deb9u1fixed
buster0.18~pre1+dfsg1-5vulnerable
bullseye0.19.1+dfsg1-2vulnerable
sid0.19.4+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
freecadsourcestretch0.16+dfsg2-3+deb9u1DLA-2934-1
freecadsource(unstable)0.19.4+dfsg1-11005747

Notes

Fixed by; https://github.com/FreeCAD/FreeCAD/commit/1742d7ff82af1653253c4a4183c262c9af3b26d6 (master)
Fxied by: https://github.com/FreeCAD/FreeCAD/commit/ad6977f940d3e64d78a4367452d9a338ad43fa1c (0.19.4)
https://tracker.freecad.org/view.php?id=4809

Search for package or bug name: Reporting problems