{"id":"DEBIAN-CVE-2017-17522","details":"Lib/webbrowser.py in Python through 3.6.3 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL. NOTE: a software maintainer indicates that exploitation is impossible because the code relies on subprocess.Popen and the default shell=False setting","modified":"2025-11-20T10:13:01.496585Z","published":"2017-12-14T16:29:00.713Z","upstream":["CVE-2017-17522"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2017-17522"}],"affected":[{"package":{"name":"jython","ecosystem":"Debian:11","purl":"pkg:deb/debian/jython?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.2+repack1-3","2.7.2+repack1-4","2.7.2+repack1-5","2.7.3+repack1-1"],"ecosystem_specific":{"urgency":"unimportant"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-17522.json"}},{"package":{"name":"jython","ecosystem":"Debian:12","purl":"pkg:deb/debian/jython?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.3+repack1-1"],"ecosystem_specific":{"urgency":"unimportant"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-17522.json"}},{"package":{"name":"jython","ecosystem":"Debian:13","purl":"pkg:deb/debian/jython?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.3+repack1-1"],"ecosystem_specific":{"urgency":"unimportant"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-17522.json"}},{"package":{"name":"jython","ecosystem":"Debian:14","purl":"pkg:deb/debian/jython?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.3+repack1-1"],"ecosystem_specific":{"urgency":"unimportant"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-17522.json"}},{"package":{"name":"python2.7","ecosystem":"Debian:11","purl":"pkg:deb/debian/python2.7?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.18-10","2.7.18-11","2.7.18-12","2.7.18-13","2.7.18-13.1","2.7.18-13.1~exp1","2.7.18-13.2","2.7.18-8","2.7.18-8+deb11u1","2.7.18-9"],"ecosystem_specific":{"urgency":"unimportant"},"database_specific":{"source":"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2017-17522.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}