{"id":"CVE-2017-15924","details":"In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the add_server, build_config, and construct_command_line functions.","modified":"2026-04-16T06:21:10.159785922Z","published":"2017-10-27T16:29:00.223Z","related":["openSUSE-SU-2024:11379-1"],"references":[{"type":"ADVISORY","url":"http://openwall.com/lists/oss-security/2017/10/13/2"},{"type":"ADVISORY","url":"http://www.debian.org/security/2017/dsa-4009"},{"type":"ADVISORY","url":"https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3"},{"type":"ADVISORY","url":"https://github.com/shadowsocks/shadowsocks-libev/issues/1734"},{"type":"EVIDENCE","url":"https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shadowsocks/shadowsocks-libev","events":[{"introduced":"0"},{"last_affected":"5b7f057663898b91e174b9440864f51474cc780d"},{"introduced":"0"},{"last_affected":"1f72c5d30a4d656a7a96e96f5285a90865ba3cd9"},{"introduced":"0"},{"last_affected":"eb9d31869e1d7590cd8c2fb1e7d226ac6cf32fad"},{"introduced":"0"},{"last_affected":"58b4157b3e5fcd4e0e64c54ee7b1c043933e699d"},{"introduced":"0"},{"last_affected":"438e1e4ec702a2bd888968ee4648990d32b16d26"},{"introduced":"0"},{"last_affected":"f402119f6d56bc07939b854aab6236b92315229a"},{"introduced":"0"},{"last_affected":"c9c48733477d535a9ddd71e6284c24e44f586dcf"},{"introduced":"0"},{"last_affected":"75add87313af3e0f961277739e560f3733016e2f"},{"introduced":"0"},{"last_affected":"e9a530f9dcd3d94e8dcbd341b5e0ccd5bc71cd95"},{"introduced":"0"},{"last_affected":"d37f8d302532a8d442233d9b752324ffff99bbd0"},{"introduced":"0"},{"last_affected":"5d7dd372fcb8e241497413f357ae8a2925b2f6c6"},{"introduced":"0"},{"last_affected":"a56501b027e565b486b8b1761615341462dd3a7b"},{"introduced":"0"},{"last_affected":"aeb6fcef04d5008ab7462955f32fbf3f7d1b0d5a"},{"introduced":"0"},{"last_affected":"c0b5a13973b62cb0bbe25900370e251d6cf5cc65"},{"introduced":"0"},{"last_affected":"dcf5a39b624bbf1db645a449af980463fca79a7a"},{"introduced":"0"},{"last_affected":"2a6c28e185774addcf4d090662886b9433a7cefa"},{"introduced":"0"},{"last_affected":"6a503108b3646f010361a99aacec6610262a6894"},{"introduced":"0"},{"last_affected":"6dac73f63a4d20239f29dadc3f0ac3846712e7cb"},{"introduced":"0"},{"last_affected":"2a15e971969a1e068fc93b1c32d27de4814d1de8"},{"introduced":"0"},{"last_affected":"c2cc700177c8d197b4c99c7bf8ba368b9e4b2945"},{"introduced":"0"},{"last_affected":"860bbdc758815e13f288fc3c84c9f7e3a1fc3c30"},{"introduced":"0"},{"last_affected":"27b60ce1c78998f262b1cd825f6e0281f4780be5"},{"introduced":"0"},{"last_affected":"9cdc3dc7ef8e7a87169755a6b4287a5394745dd1"},{"introduced":"0"},{"last_affected":"ad690cc67e7e6053c7567c304cd8d5bdcfc93cab"},{"introduced":"0"},{"last_affected":"1dd6c726be42bb812bb7620a0e7254fe6888b33f"},{"introduced":"0"},{"last_affected":"6f81b0a4e3bd63c08f7c2b0bf536b23ef91622dd"},{"introduced":"0"},{"last_affected":"bfb75054ec19d07f7649713677badb3cbf8d3f4c"},{"introduced":"0"},{"last_affected":"5e43ae1d421d9a945f6cbcd1f979918106b7bd75"},{"introduced":"0"},{"last_affected":"77d3ecabdd1c70db05df4d4abc143d5b7c91536c"},{"introduced":"0"},{"last_affected":"876893170e391e968a7ddf36f9b0c3873f0f7b0b"},{"introduced":"0"},{"last_affected":"f87ee5b424279da8e85ee11f2273238dd7eb061c"},{"introduced":"0"},{"last_affected":"a365d66d692b7d04ee2c0d93ab03deaa052ce83c"},{"introduced":"0"},{"last_affected":"39f72a0545234063b2b884649e810da09b1d8b22"},{"introduced":"0"},{"last_affected":"50f80557d4c5e7f9b7e6f0bdf813595db76c2652"},{"introduced":"0"},{"last_affected":"4883903e657095b93f88a3a3b9a0dccdffdaa397"},{"introduced":"0"},{"last_affected":"53ddb3b4d2407ccae99e585985d93aa407213657"},{"introduced":"0"},{"last_affected":"096e1eca5d0d23718b7b0e0a182d178d8cabfdaa"},{"introduced":"0"},{"last_affected":"4daab0e8690e6e5dc2ff6803dd7e13a1ec745926"},{"introduced":"0"},{"last_affected":"8dcd0970a6c4a61dd03bbcf07e1463ba9ae5231c"},{"introduced":"0"},{"last_affected":"7e23ae7a75e26b4362b6a390338d945ac972ca14"},{"introduced":"0"},{"last_affected":"ad4fdeb364283487a102da1aa79f5a603d831559"},{"introduced":"0"},{"last_affected":"12ff6c8f2f42794b16a0280feb926bfca0ec973f"},{"introduced":"0"},{"last_affected":"f3428e621a760b4881915b471267d55933e9b8fc"},{"introduced":"0"},{"last_affected":"48a063ef1e1a886e274a0fbb797e88358deca35b"},{"introduced":"0"},{"last_affected":"3953788f06bebe1350e4b492b2f1bd2f466454a0"},{"introduced":"0"},{"last_affected":"3a0c6a19191b38e928f7932a926524e376970571"},{"introduced":"0"},{"last_affected":"d03d71c8c1e205e66b99450e9a337db1c0bf903c"},{"introduced":"0"},{"last_affected":"0904a62810e7f89230de0fb7b3d0c0536ab7add5"},{"introduced":"0"},{"last_affected":"ccb48fa8c252e4027670bf3c6c34499f29d86c99"},{"introduced":"0"},{"last_affected":"c579f56087db741784bacaf1bcb8a7053052074b"},{"introduced":"0"},{"last_affected":"bd0efdee0c8a380750d9a41e8b3dd8ac07ed0b90"},{"introduced":"0"},{"last_affected":"ac84fc682e0ce33c6b79ed38d3757a67fadc55d5"},{"introduced":"0"},{"last_affected":"bd1601f847dec9d232b4c600bd1de4c7e6160c34"},{"introduced":"0"},{"last_affected":"97b87b8ec76c073727cb4d4f804233ebb07078ff"},{"introduced":"0"},{"last_affected":"9807e566d736669f7524f0d7f03138da1c5b7d1c"},{"introduced":"0"},{"last_affected":"d6c377df9c8053b10276dd2dddf9aceda5f1faf5"},{"introduced":"0"},{"last_affected":"8cb4f81eba2dde5207f99c0f0b05f30fbb57a497"},{"introduced":"0"},{"last_affected":"a3bf80cf11e0a88589abdd87266b5351f270197c"},{"introduced":"0"},{"last_affected":"9c94e6792c35dc42f10d584cf10d3f61b77da909"},{"introduced":"0"},{"last_affected":"38a3084b1f29ca0ccb5f929ae149fb64a0477fa5"},{"introduced":"0"},{"last_affected":"833594e3c637c4cad629ff95b3d3d37c31f2927b"},{"introduced":"0"},{"last_affected":"fdb1f190f8bad4438cc42b673eb98a6f14c1e1bc"},{"introduced":"0"},{"last_affected":"46fa5de9e40eabba94d50375b1263d6d51ca9841"},{"introduced":"0"},{"last_affected":"661429e579b75a665cbfe0cd85b2533b0abdc66c"},{"introduced":"0"},{"last_affected":"76609740c9d5c186d6e188bbd7c28aefa2eb82f2"},{"introduced":"0"},{"last_affected":"48f5a3bec864d80f1427c2c0090b87aba78267c8"},{"introduced":"0"},{"last_affected":"bc96aed3b0e800f18cf7fc54272e48a22160a554"},{"introduced":"0"},{"last_affected":"c11b2c08e4aecaa01f7bc4e93d311f9945d84363"},{"introduced":"0"},{"last_affected":"f1dd1354a9e0bf4a364773be3385e12de571d008"},{"introduced":"0"},{"last_affected":"69c41d9752fe37580ba1d6b9b3023aff28655f07"},{"fixed":"c67d275803dc6ea22c558d06b1f7ba9f94cd8de3"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.3"},{"introduced":"0"},{"last_affected":"1.3.2"},{"introduced":"0"},{"last_affected":"1.4.0"},{"introduced":"0"},{"last_affected":"1.4.1"},{"introduced":"0"},{"last_affected":"1.4.2"},{"introduced":"0"},{"last_affected":"1.4.3"},{"introduced":"0"},{"last_affected":"1.4.4"},{"introduced":"0"},{"last_affected":"1.4.5"},{"introduced":"0"},{"last_affected":"1.4.6"},{"introduced":"0"},{"last_affected":"1.4.7"},{"introduced":"0"},{"last_affected":"1.4.8"},{"introduced":"0"},{"last_affected":"1.5.0"},{"introduced":"0"},{"last_affected":"1.5.1"},{"introduced":"0"},{"last_affected":"1.5.2"},{"introduced":"0"},{"last_affected":"1.5.3"},{"introduced":"0"},{"last_affected":"1.6.1"},{"introduced":"0"},{"last_affected":"1.6.2"},{"introduced":"0"},{"last_affected":"1.6.3"},{"introduced":"0"},{"last_affected":"1.6.4"},{"introduced":"0"},{"last_affected":"2.0.1"},{"introduced":"0"},{"last_affected":"2.0.2"},{"introduced":"0"},{"last_affected":"2.0.3"},{"introduced":"0"},{"last_affected":"2.0.4"},{"introduced":"0"},{"last_affected":"2.0.5"},{"introduced":"0"},{"last_affected":"2.0.6"},{"introduced":"0"},{"last_affected":"2.0.7"},{"introduced":"0"},{"last_affected":"2.0.8"},{"introduced":"0"},{"last_affected":"2.1.0"},{"introduced":"0"},{"last_affected":"2.1.1"},{"introduced":"0"},{"last_affected":"2.1.2"},{"introduced":"0"},{"last_affected":"2.1.3"},{"introduced":"0"},{"last_affected":"2.1.4"},{"introduced":"0"},{"last_affected":"2.2.0"},{"introduced":"0"},{"last_affected":"2.2.1"},{"introduced":"0"},{"last_affected":"2.2.2"},{"introduced":"0"},{"last_affected":"2.2.3"},{"introduced":"0"},{"last_affected":"2.3.0"},{"introduced":"0"},{"last_affected":"2.3.1"},{"introduced":"0"},{"last_affected":"2.3.2"},{"introduced":"0"},{"last_affected":"2.3.3"},{"introduced":"0"},{"last_affected":"2.4.0"},{"introduced":"0"},{"last_affected":"2.4.1"},{"introduced":"0"},{"last_affected":"2.4.2"},{"introduced":"0"},{"last_affected":"2.4.3"},{"introduced":"0"},{"last_affected":"2.4.4"},{"introduced":"0"},{"last_affected":"2.4.5"},{"introduced":"0"},{"last_affected":"2.4.6"},{"introduced":"0"},{"last_affected":"2.4.7"},{"introduced":"0"},{"last_affected":"2.4.8"},{"introduced":"0"},{"last_affected":"2.5.0"},{"introduced":"0"},{"last_affected":"2.5.1"},{"introduced":"0"},{"last_affected":"2.5.2"},{"introduced":"0"},{"last_affected":"2.5.3"},{"introduced":"0"},{"last_affected":"2.5.4"},{"introduced":"0"},{"last_affected":"2.5.5"},{"introduced":"0"},{"last_affected":"2.5.6"},{"introduced":"0"},{"last_affected":"2.6.0"},{"introduced":"0"},{"last_affected":"2.6.1"},{"introduced":"0"},{"last_affected":"2.6.2"},{"introduced":"0"},{"last_affected":"2.6.3"},{"introduced":"0"},{"last_affected":"3.0.0"},{"introduced":"0"},{"last_affected":"3.0.1"},{"introduced":"0"},{"last_affected":"3.0.2"},{"introduced":"0"},{"last_affected":"3.0.3"},{"introduced":"0"},{"last_affected":"3.0.4"},{"introduced":"0"},{"last_affected":"3.0.5"},{"introduced":"0"},{"last_affected":"3.0.6"},{"introduced":"0"},{"last_affected":"3.0.7"},{"introduced":"0"},{"last_affected":"3.0.8"},{"introduced":"0"},{"last_affected":"3.1.0"}]}}],"versions":["v1.3","v1.3.2","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.4.4","v1.4.5","v1.4.6","v1.4.7","v1.4.8","v1.5.0","v1.5.1","v1.5.2","v1.5.3","v1.6.1","v1.6.2","v1.6.3","v1.6.4","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.5.0","v2.5.1","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v3.0.0","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.1.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.2"}]}],"vanir_signatures_modified":"2026-04-11T04:14:25Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-15924.json","vanir_signatures":[{"digest":{"length":1080,"function_hash":"277076487168416077177268514653106974475"},"target":{"function":"build_config","file":"src/manager.c"},"source":"https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3","signature_type":"Function","signature_version":"v1","deprecated":false,"id":"CVE-2017-15924-738cd4f1"},{"digest":{"length":2671,"function_hash":"51715648287725508804296421552476954729"},"target":{"function":"construct_command_line","file":"src/manager.c"},"source":"https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3","signature_type":"Function","signature_version":"v1","deprecated":false,"id":"CVE-2017-15924-7e3eb6fc"},{"digest":{"line_hashes":["169837448405245710347467634324323478422","327659273079150167083867326886170459882","301484648099712372651071308334292968805","81374173212013676119655546543043961364","40156762308119617865492505593162385531","189886026585957659222601073739168781841","65991846492554056196821736162134505460","212907375527110548919205828182184045444","266748927104649670767550455357153502823","2561586973442348593906185680394902824","73857112924478152416306249729309578487","10983231780701925607823863281532833026","57259832225120913902268720118809065672","126842709979597372642403940724571959268","42157759316307733695178137402041078878","145036398007120937366813029069073129853","224591225731331742064323684188427633094","32278634827548368364613609433937393828","2653600847363017017969292359007098289","26085178480316581020662140927533394189","282584403883317560828349507996565172350","102608600048312645466792487933083938846","28508456101964790122671434748187555180","97940369526720310290924854467897825220"],"threshold":0.9},"target":{"file":"src/manager.c"},"signature_version":"v1","signature_type":"Line","source":"https://github.com/shadowsocks/shadowsocks-libev/commit/c67d275803dc6ea22c558d06b1f7ba9f94cd8de3","id":"CVE-2017-15924-c25c1466","deprecated":false}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}