{"id":"CVE-2021-32563","details":"An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution.","modified":"2026-04-16T04:41:38.788007049Z","published":"2021-05-11T05:15:07.217Z","references":[{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2021/05/09/2"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2021/05/11/3"},{"type":"ADVISORY","url":"https://gitlab.xfce.org/xfce/thunar/-/tags"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/01/05/1"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2023/01/05/2"},{"type":"FIX","url":"https://gitlab.xfce.org/xfce/thunar/-/commit/9165a61f95e43cc0b5abf9b98eee2818a0191e0b"},{"type":"FIX","url":"https://gitlab.xfce.org/xfce/thunar/-/commit/1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d"},{"type":"FIX","url":"https://gitlab.xfce.org/xfce/thunar/-/commit/3b54d9d7dbd7fd16235e2141c43a7f18718f5664"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/xfce-mirror/thunar","events":[{"introduced":"0"},{"fixed":"13b837945b35ab48a2da4e54657169d0453e5e06"},{"introduced":"757ee923658663dc85d3b1760321236c8b68dca1"},{"fixed":"7f353c925ee539e62bfb64e5b32464915f2f3753"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.16.7"},{"introduced":"4.17.0"},{"fixed":"4.17.2"}]}},{"type":"GIT","repo":"https://gitlab.xfce.org/xfce/thunar","events":[{"introduced":"0"},{"fixed":"1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d"},{"fixed":"3b54d9d7dbd7fd16235e2141c43a7f18718f5664"},{"fixed":"9165a61f95e43cc0b5abf9b98eee2818a0191e0b"}]}],"versions":["thunar-0.3.0beta1","thunar-0.3.2beta2","thunar-0.9.0","thunar-0.9.80","thunar-0.9.91","thunar-0.9.92","thunar-0.9.93","thunar-0.9.99.1","thunar-1.0.1","thunar-1.1.0","thunar-1.1.1","thunar-1.1.2","thunar-1.1.3","thunar-1.1.4","thunar-1.1.5","thunar-1.1.6","thunar-1.2.0","thunar-1.3.0","thunar-1.3.1","thunar-1.3.2","thunar-1.4.0","thunar-1.5.0","thunar-1.5.1","thunar-1.5.2","thunar-1.5.3","thunar-1.6.0","thunar-1.6.1","thunar-1.6.10","thunar-1.6.11","thunar-1.6.12","thunar-1.6.2","thunar-1.6.3","thunar-1.6.4","thunar-1.6.5","thunar-1.6.6","thunar-1.6.7","thunar-1.6.8","thunar-1.6.9","thunar-1.7.0","thunar-1.7.1","thunar-1.7.2","thunar-1.8.0","thunar-1.8.1","thunar-1.8.10","thunar-1.8.11","thunar-1.8.12","thunar-1.8.13","thunar-1.8.14","thunar-1.8.15","thunar-1.8.16","thunar-1.8.2","thunar-1.8.3","thunar-1.8.4","thunar-1.8.5","thunar-1.8.6","thunar-1.8.7","thunar-1.8.8","thunar-1.8.9","thunar-4.15.0","thunar-4.15.1","thunar-4.15.2","thunar-4.15.3","thunar-4.16.0","thunar-4.16.1","thunar-4.16.2","thunar-4.16.3","thunar-4.16.4","thunar-4.16.5","thunar-4.16.6","thunar-4.17.0","thunar-4.17.1","thunar-4.17.2","xfce-4.14.0","xfce-4.14pre1","xfce-4.14pre2","xfce-4.14pre3","xfce-4.16pre1","xfce-4.16pre2","xfce-4.4.2","xfce-4.4beta1","xfce-4.4beta2","xfce-4.6alpha","xfce-4.6beta1","xfce-4.6beta2","xfce-4.6beta3"],"database_specific":{"vanir_signatures":[{"deprecated":false,"signature_version":"v1","id":"CVE-2021-32563-101171c6","source":"https://gitlab.xfce.org/xfce/thunar@9165a61f95e43cc0b5abf9b98eee2818a0191e0b","target":{"function":"thunar_application_process_files_finish","file":"thunar/thunar-application.c"},"digest":{"function_hash":"76453521844426154463468593598021274668","length":1117},"signature_type":"Function"},{"deprecated":false,"signature_version":"v1","id":"CVE-2021-32563-1df0ae1b","source":"https://gitlab.xfce.org/xfce/thunar@1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d","target":{"function":"thunar_dbus_service_launch_files","file":"thunar/thunar-dbus-service.c"},"digest":{"function_hash":"193458808684422267123343110460523055664","length":872},"signature_type":"Function"},{"deprecated":false,"digest":{"function_hash":"193458808684422267123343110460523055664","length":872},"target":{"function":"thunar_dbus_service_launch_files","file":"thunar/thunar-dbus-service.c"},"source":"https://gitlab.xfce.org/xfce/thunar@3b54d9d7dbd7fd16235e2141c43a7f18718f5664","id":"CVE-2021-32563-3371b1be","signature_version":"v1","signature_type":"Function"},{"deprecated":false,"id":"CVE-2021-32563-6bc3037f","signature_version":"v1","source":"https://gitlab.xfce.org/xfce/thunar@3b54d9d7dbd7fd16235e2141c43a7f18718f5664","target":{"file":"thunar/thunar-dbus-service.c"},"digest":{"line_hashes":["333741236351249368640136793175355211632","196023527416500479017541562811996078200","312149587464661582791396048727543242774","82789431063833627206592324110022651623"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"id":"CVE-2021-32563-8b23ffb8","digest":{"function_hash":"240219985511444574272100991227286123703","length":457},"source":"https://gitlab.xfce.org/xfce/thunar@9165a61f95e43cc0b5abf9b98eee2818a0191e0b","target":{"function":"thunar_window_select_files","file":"thunar/thunar-window.c"},"signature_version":"v1","signature_type":"Function"},{"deprecated":false,"id":"CVE-2021-32563-9df4f3c4","digest":{"line_hashes":["33883801610053101770454332029839617759","31942194425757146550583624434930046418","5999911348752228872924859601749310390","68298791084085739787901773884069998986","199692913691837589097090413456053514655","141670879382841887650444079627429453297","35781408589419365993670024578647521386"],"threshold":0.9},"source":"https://gitlab.xfce.org/xfce/thunar@3b54d9d7dbd7fd16235e2141c43a7f18718f5664","target":{"file":"thunar/thunar-application.h"},"signature_version":"v1","signature_type":"Line"},{"deprecated":false,"id":"CVE-2021-32563-bb90fa0c","digest":{"line_hashes":["33883801610053101770454332029839617759","31942194425757146550583624434930046418","5999911348752228872924859601749310390","68298791084085739787901773884069998986","199692913691837589097090413456053514655","141670879382841887650444079627429453297","35781408589419365993670024578647521386"],"threshold":0.9},"source":"https://gitlab.xfce.org/xfce/thunar@1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d","target":{"file":"thunar/thunar-application.h"},"signature_version":"v1","signature_type":"Line"},{"deprecated":false,"target":{"file":"thunar/thunar-application.c"},"signature_version":"v1","source":"https://gitlab.xfce.org/xfce/thunar@9165a61f95e43cc0b5abf9b98eee2818a0191e0b","id":"CVE-2021-32563-bcc23ddb","digest":{"line_hashes":["217846621016225848485072870713498074044","64660158412193811085918561022236540670","181899418999702034230534458880337942005","43894642237672623045404286098122510699"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"function":"thunar_application_process_files_finish","file":"thunar/thunar-application.c"},"signature_version":"v1","source":"https://gitlab.xfce.org/xfce/thunar@1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d","id":"CVE-2021-32563-d648f2d0","digest":{"function_hash":"76453521844426154463468593598021274668","length":1117},"signature_type":"Function"},{"deprecated":false,"target":{"file":"thunar/thunar-window.h"},"signature_version":"v1","source":"https://gitlab.xfce.org/xfce/thunar@9165a61f95e43cc0b5abf9b98eee2818a0191e0b","id":"CVE-2021-32563-e24206da","digest":{"line_hashes":["71995599210645557607068850389178420250","176431535656620076387624886239560476324","119060238380255805610963994524452940987"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"signature_version":"v1","id":"CVE-2021-32563-e83755e9","source":"https://gitlab.xfce.org/xfce/thunar@9165a61f95e43cc0b5abf9b98eee2818a0191e0b","target":{"file":"thunar/thunar-window.c"},"digest":{"line_hashes":["195470704098790955053997434797781333610","294593178307349962211822224981884982439","237836334247483354412060104701140496504","25744477612665038666142578699714641948","210903922429604648927034136560186576621","87829882380763779028356856767485725253","116412102868994170465163048963147799421","52831437443336667610700417247031608224","309869385550930135943211102869211562463"],"threshold":0.9},"signature_type":"Line"},{"deprecated":false,"target":{"file":"thunar/thunar-dbus-service.c"},"signature_version":"v1","source":"https://gitlab.xfce.org/xfce/thunar@1b85b96ebf7cb9bf6a3ddf1acee7643643fdf92d","id":"CVE-2021-32563-f00a346b","digest":{"line_hashes":["333741236351249368640136793175355211632","196023527416500479017541562811996078200","312149587464661582791396048727543242774","82789431063833627206592324110022651623"],"threshold":0.9},"signature_type":"Line"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-32563.json","vanir_signatures_modified":"2026-04-11T17:12:17Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}