{"id":"UBUNTU-CVE-2017-17532","details":"examples/framework/news/news3.py in Kiwi 1.9.22 does not validate strings before launching the program specified by the BROWSER environment variable, which might allow remote attackers to conduct argument-injection attacks via a crafted URL.","modified":"2026-01-20T16:49:45.843891Z","published":"2017-12-14T16:29:00Z","upstream":["CVE-2017-17532"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-17532"},{"type":"REPORT","url":"https://sources.debian.org/src/kiwi/1.9.22-4/examples/framework/news/news3.py/?hl=88#L88"},{"type":"REPORT","url":"https://security-tracker.debian.org/tracker/CVE-2017-17532"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-17532"}],"affected":[{"package":{"name":"kiwi","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/kiwi@1.9.22-4?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.22-3","1.9.22-4"],"ecosystem_specific":{"binaries":[{"binary_name":"python-kiwi","binary_version":"1.9.22-4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-17532.json"}},{"package":{"name":"kiwi","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/kiwi@1.9.22-4?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["1.9.22-4"],"ecosystem_specific":{"binaries":[{"binary_name":"python-kiwi","binary_version":"1.9.22-4"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-17532.json"}},{"package":{"name":"kiwi","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/kiwi@9.25.22-1ubuntu1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.25.11-1ubuntu1","9.25.22-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kiwi","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-lib","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-live","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-oem-dump","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-oem-repart","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-overlay","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-dracut-verity","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-bootloaders","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-containers","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-core","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-disk-images","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-filesystems","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-systemdeps-iso-media","binary_version":"9.25.22-1ubuntu1"},{"binary_name":"kiwi-tools","binary_version":"9.25.22-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-17532.json"}},{"package":{"name":"kiwi","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/kiwi@10.2.28-1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["10.1.18-1ubuntu1","10.2.16-1","10.2.22-1","10.2.24-1","10.2.26-1","10.2.27-1","10.2.28-1"],"ecosystem_specific":{"binaries":[{"binary_name":"kiwi","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-lib","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-live","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-oem-dump","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-oem-repart","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-overlay","binary_version":"10.2.28-1"},{"binary_name":"kiwi-dracut-verity","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-bootloaders","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-containers","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-core","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-disk-images","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-filesystems","binary_version":"10.2.28-1"},{"binary_name":"kiwi-systemdeps-iso-media","binary_version":"10.2.28-1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-17532.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"negligible"}]}