{"id":"CVE-2017-14500","details":"Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.","modified":"2026-04-11T04:14:22.274952Z","published":"2017-09-17T05:29:00.193Z","references":[{"type":"WEB","url":"https://usn.ubuntu.com/4585-1/"},{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2017/09/16/1"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-3977"},{"type":"REPORT","url":"https://github.com/akrennmair/newsbeuter/issues/598"},{"type":"FIX","url":"https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333"},{"type":"FIX","url":"https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/akrennmair/newsbeuter","events":[{"introduced":"0"},{"last_affected":"ee1830151054fe407afa9341a05a82e989205134"},{"introduced":"0"},{"last_affected":"6041cee5682b5f3270337b0a923fe3e517fcc92e"},{"introduced":"0"},{"last_affected":"f2076ca1b9edd4f8ed7f364bee33b44c9eece0d2"},{"introduced":"0"},{"last_affected":"7fc126dc3a09a417918d9089abc914f0e0f46da8"},{"introduced":"0"},{"last_affected":"277c4a033f4d8d56aa564f6da25662692fc137d3"},{"introduced":"0"},{"last_affected":"4865e6654586ddf51aaf743e940d0c7bb088b3d2"},{"introduced":"0"},{"last_affected":"47ead54bf2e0dd4fd3f29dfb94fb05d95f941ce2"},{"introduced":"0"},{"last_affected":"23e85563585d0e4c5ef2774d2f2f0c893b951c20"},{"introduced":"0"},{"last_affected":"1a42ef8f8db3e4ce872504b9e92e802f03ed52f4"},{"introduced":"0"},{"last_affected":"12034ce711cea811e1a7df003cf301bcfc0d3e6b"},{"introduced":"0"},{"last_affected":"46bf71384211aee2fafe9e435fb7b72641414cb4"},{"introduced":"0"},{"last_affected":"9046a2b1596d9a284f10864388b5424d59dfa6d4"},{"introduced":"0"},{"last_affected":"52ed8907d0c3cba22aed84ae4a31d090d0fbf746"},{"introduced":"0"},{"last_affected":"4a447917f7c8b33ef3aae8cd221c47dbdb1c3246"},{"introduced":"0"},{"last_affected":"3e052f72797359e3f39c0065912f1611ad088085"},{"introduced":"0"},{"last_affected":"2970498501bbffeaa00120fee041e4a2620029d7"},{"introduced":"0"},{"last_affected":"99ee8f03c64b26b1deafaa10345982d917c8bdd1"},{"introduced":"0"},{"last_affected":"f9764f0ac59372876b41166cf085dce4f5e6f83e"},{"introduced":"0"},{"last_affected":"b90782df7846f4279c1ed55d6d57e6d4f37fc94b"},{"introduced":"0"},{"last_affected":"6548dd953f4067e663c43d306110d9bba8525760"},{"introduced":"0"},{"last_affected":"799389f6a4d9336da46b948a6c2d86d50fdbc8ab"},{"introduced":"0"},{"last_affected":"fe0d8362626054a506e8e9c9819e2fe1623807db"},{"introduced":"0"},{"last_affected":"8df68f426ca4360fcced0edf8fb48cd6088f0e90"},{"introduced":"0"},{"last_affected":"969fcb163d541fa26f4600c6ae0bfe3d36309823"},{"fixed":"26f5a4350f3ab5507bb8727051c87bb04660f333"},{"fixed":"c8fea2f60c18ed30bdd1bb6f798e994e51a58260"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.3"},{"introduced":"0"},{"last_affected":"0.4"},{"introduced":"0"},{"last_affected":"0.5"},{"introduced":"0"},{"last_affected":"0.6"},{"introduced":"0"},{"last_affected":"0.7"},{"introduced":"0"},{"last_affected":"0.8"},{"introduced":"0"},{"last_affected":"0.8.1"},{"introduced":"0"},{"last_affected":"0.8.2"},{"introduced":"0"},{"last_affected":"0.9"},{"introduced":"0"},{"last_affected":"0.9.1"},{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.1"},{"introduced":"0"},{"last_affected":"1.2"},{"introduced":"0"},{"last_affected":"1.3"},{"introduced":"0"},{"last_affected":"2.0"},{"introduced":"0"},{"last_affected":"2.1"},{"introduced":"0"},{"last_affected":"2.2"},{"introduced":"0"},{"last_affected":"2.3"},{"introduced":"0"},{"last_affected":"2.4"},{"introduced":"0"},{"last_affected":"2.5"},{"introduced":"0"},{"last_affected":"2.6"},{"introduced":"0"},{"last_affected":"2.7"},{"introduced":"0"},{"last_affected":"2.8"},{"introduced":"0"},{"last_affected":"2.9"}]}}],"versions":["newsbeuter-0.3-real","newsbeuter-0.4","newsbeuter-0.5-old","newsbeuter-0.6","newsbeuter-0.7","newsbeuter-0.8","newsbeuter-0.8.1","newsbeuter-0.8.2","newsbeuter-0.9","newsbeuter-0.9.1","newsbeuter-1.0","newsbeuter-1.1","newsbeuter-1.2","newsbeuter-1.3","r2.0","r2.1","r2.2","r2.3","r2.4","r2.5","r2.6","r2.7","r2.8","r2.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14500.json","vanir_signatures_modified":"2026-04-11T04:14:22Z","vanir_signatures":[{"id":"CVE-2017-14500-0ba005de","signature_version":"v1","target":{"file":"src/pb_controller.cpp"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["122203421145135607605150740415678481744","226326304608593480580444074630309874189","141851851325221400487052087950423918467","126645352107463222030298578303702291104","280107155541152668819977864311526523605","100975989055322441498022819319882045499"],"threshold":0.9},"source":"https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333"},{"id":"CVE-2017-14500-11cd728b","signature_version":"v1","target":{"function":"queueloader::get_filename","file":"src/queueloader.cpp"},"signature_type":"Function","deprecated":false,"digest":{"length":569,"function_hash":"297464687269015149749922159851838517057"},"source":"https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260"},{"id":"CVE-2017-14500-1f236f20","signature_version":"v1","target":{"file":"src/pb_controller.cpp"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["122203421145135607605150740415678481744","226326304608593480580444074630309874189","141851851325221400487052087950423918467","126645352107463222030298578303702291104","261190887748625915739741040140074181224","72870267390956557907745808987922535707"],"threshold":0.9},"source":"https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260"},{"id":"CVE-2017-14500-55327ebc","signature_version":"v1","target":{"function":"pb_controller::play_file","file":"src/pb_controller.cpp"},"signature_type":"Function","deprecated":false,"digest":{"length":426,"function_hash":"59995948087546701770999833077024963097"},"source":"https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333"},{"id":"CVE-2017-14500-993677e3","signature_version":"v1","target":{"function":"queueloader::get_filename","file":"src/queueloader.cpp"},"signature_type":"Function","deprecated":false,"digest":{"length":566,"function_hash":"325622768065210990364342808000899331722"},"source":"https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333"},{"id":"CVE-2017-14500-a6c43b70","signature_version":"v1","target":{"file":"src/queueloader.cpp"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["28945969528684604269056913412978480261","328591584293568757866463690194581631448","240226559374422634877135290719219586984","111208244330724101130459863208369810773"],"threshold":0.9},"source":"https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260"},{"id":"CVE-2017-14500-a9508c1c","signature_version":"v1","target":{"function":"pb_controller::play_file","file":"src/pb_controller.cpp"},"signature_type":"Function","deprecated":false,"digest":{"length":372,"function_hash":"248584191656778447663072432663244477995"},"source":"https://github.com/akrennmair/newsbeuter/commit/c8fea2f60c18ed30bdd1bb6f798e994e51a58260"},{"id":"CVE-2017-14500-b1a77817","signature_version":"v1","target":{"file":"src/queueloader.cpp"},"signature_type":"Line","deprecated":false,"digest":{"line_hashes":["28945969528684604269056913412978480261","328591584293568757866463690194581631448","240226559374422634877135290719219586984","111208244330724101130459863208369810773"],"threshold":0.9},"source":"https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}