{"id":"CVE-2021-33477","details":"rxvt-unicode 9.22, rxvt 2.7.10, mrxvt 0.5.4, and Eterm 0.9.7 allow (potentially remote) code execution because of improper handling of certain escape sequences (ESC G Q). A response is terminated by a newline.","modified":"2026-04-16T04:32:19.060958357Z","published":"2021-05-20T20:15:07.397Z","related":["openSUSE-SU-2022:10222-1","openSUSE-SU-2024:12386-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6RFMU5YXXNYYVA7G2DAHRXXHO6JKVFUT/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AO52OLNOOKOCZSJCN3R7Q25XA32BWNWP/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NZWGE2RJONBEHSPCBUAW72NTRTIFKZAX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DUV4LDVZVW7KCGPAMFZD4ZJ4FVLPOX4C/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLPVEPBH37EBR4R54RMC6GD33J37HJXD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXAKO6N6NKTR6Z6KVAPEXSZQMRU52SGA/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202209-07"},{"type":"ADVISORY","url":"http://cvs.schmorp.de/rxvt-unicode/Changes?view=log"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00026.html"},{"type":"ADVISORY","url":"https://sourceforge.net/projects/materm/files/mrxvt%20source/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00012.html"},{"type":"ADVISORY","url":"https://sourceforge.net/projects/rxvt/files/rxvt-dev/"},{"type":"ADVISORY","url":"https://www.openwall.com/lists/oss-security/2017/05/01/20"},{"type":"ADVISORY","url":"https://git.enlightenment.org/apps/eterm.git/log/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00010.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/06/msg00011.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202105-17"},{"type":"FIX","url":"http://cvs.schmorp.de/rxvt-unicode/src/command.C?r1=1.582&r2=1.583"},{"type":"EVIDENCE","url":"https://packetstormsecurity.com/files/162621/rxvt-2.7.0-rxvt-unicode-9.22-Code-Execution.html"},{"type":"EVIDENCE","url":"https://www.openwall.com/lists/oss-security/2021/05/17/1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/exg/rxvt-unicode","events":[{"introduced":"0"},{"last_affected":"df03d2705271fdb3eeccad9e191bba45cb872b96"},{"introduced":"0"},{"last_affected":"a72021cd7dd8ecd115718178c1cd5a19a049e5ea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.22"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["rxvt-unicode-1.2","rxvt-unicode-1.3","rxvt-unicode-1.9","rxvt-unicode-2.0","rxvt-unicode-2.1","rxvt-unicode-2.2","rxvt-unicode-2.3","rxvt-unicode-2.4","rxvt-unicode-2.5","rxvt-unicode-2.7","rxvt-unicode-2.8","rxvt-unicode-3.0","rxvt-unicode-3.2","rxvt-unicode-3.3","rxvt-unicode-3.4","rxvt-unicode-3.5","rxvt-unicode-3.6","rxvt-unicode-3.7","rxvt-unicode-3.8","rxvt-unicode-4.0","rxvt-unicode-4.1","rxvt-unicode-4.2","rxvt-unicode-4.3","rxvt-unicode-4.4","rxvt-unicode-4.6","rxvt-unicode-4.7","rxvt-unicode-4.8","rxvt-unicode-4.9","rxvt-unicode-5.0","rxvt-unicode-5.1","rxvt-unicode-5.2","rxvt-unicode-5.3","rxvt-unicode-5.4","rxvt-unicode-5.5","rxvt-unicode-5.7","rxvt-unicode-5.8","rxvt-unicode-5.9","rxvt-unicode-6.0","rxvt-unicode-6.1","rxvt-unicode-6.2","rxvt-unicode-6.3","rxvt-unicode-7.0","rxvt-unicode-7.1","rxvt-unicode-7.2","rxvt-unicode-7.3","rxvt-unicode-7.3a","rxvt-unicode-7.4","rxvt-unicode-7.5","rxvt-unicode-7.6","rxvt-unicode-7.7","rxvt-unicode-7.8","rxvt-unicode-7.9","rxvt-unicode-8.0","rxvt-unicode-8.1","rxvt-unicode-8.2","rxvt-unicode-8.3","rxvt-unicode-8.4","rxvt-unicode-8.5a","rxvt-unicode-8.6","rxvt-unicode-8.7","rxvt-unicode-8.8","rxvt-unicode-8.9","rxvt-unicode-9.0","rxvt-unicode-9.01","rxvt-unicode-9.02","rxvt-unicode-9.05","rxvt-unicode-9.06","rxvt-unicode-9.07","rxvt-unicode-9.09","rxvt-unicode-9.10","rxvt-unicode-9.11","rxvt-unicode-9.12","rxvt-unicode-9.14","rxvt-unicode-9.15","rxvt-unicode-9.16","rxvt-unicode-9.17","rxvt-unicode-9.18","rxvt-unicode-9.19","rxvt-unicode-9.20","rxvt-unicode-9.21","rxvt-unicode-9.22"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-33477.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.9.7"}]},{"events":[{"introduced":"0"},{"last_affected":"0.5.4"}]},{"events":[{"introduced":"0"},{"last_affected":"2.7.10"}]},{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"34"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}