CVE-2023-7093

Summary

A vulnerability classified as critical has been found in KylinSoft kylin-system-updater up to 2.0.5.16-0k2.33. Affected is an unknown function of the file /usr/share/kylin-system-updater/SystemUpdater/UpgradeStrategiesDbus.py of the component com.kylin.systemupgrade Service. The manipulation of the argument SetDownloadspeedMax leads to os command injection. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-248940. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Affected Software

VendorProductVersion RangeStatus
KylinSoftkylin-system-updater2.0.5.16-0k2.0affected
KylinSoftkylin-system-updater2.0.5.16-0k2.1affected
KylinSoftkylin-system-updater2.0.5.16-0k2.2affected
KylinSoftkylin-system-updater2.0.5.16-0k2.3affected
KylinSoftkylin-system-updater2.0.5.16-0k2.4affected
KylinSoftkylin-system-updater2.0.5.16-0k2.5affected
KylinSoftkylin-system-updater2.0.5.16-0k2.6affected
KylinSoftkylin-system-updater2.0.5.16-0k2.7affected
KylinSoftkylin-system-updater2.0.5.16-0k2.8affected
KylinSoftkylin-system-updater2.0.5.16-0k2.9affected
KylinSoftkylin-system-updater2.0.5.16-0k2.10affected
KylinSoftkylin-system-updater2.0.5.16-0k2.11affected
KylinSoftkylin-system-updater2.0.5.16-0k2.12affected
KylinSoftkylin-system-updater2.0.5.16-0k2.13affected
KylinSoftkylin-system-updater2.0.5.16-0k2.14affected
KylinSoftkylin-system-updater2.0.5.16-0k2.15affected
KylinSoftkylin-system-updater2.0.5.16-0k2.16affected
KylinSoftkylin-system-updater2.0.5.16-0k2.17affected
KylinSoftkylin-system-updater2.0.5.16-0k2.18affected
KylinSoftkylin-system-updater2.0.5.16-0k2.19affected
KylinSoftkylin-system-updater2.0.5.16-0k2.20affected
KylinSoftkylin-system-updater2.0.5.16-0k2.21affected
KylinSoftkylin-system-updater2.0.5.16-0k2.22affected
KylinSoftkylin-system-updater2.0.5.16-0k2.23affected
KylinSoftkylin-system-updater2.0.5.16-0k2.24affected
KylinSoftkylin-system-updater2.0.5.16-0k2.25affected
KylinSoftkylin-system-updater2.0.5.16-0k2.26affected
KylinSoftkylin-system-updater2.0.5.16-0k2.27affected
KylinSoftkylin-system-updater2.0.5.16-0k2.28affected
KylinSoftkylin-system-updater2.0.5.16-0k2.29affected
KylinSoftkylin-system-updater2.0.5.16-0k2.30affected
KylinSoftkylin-system-updater2.0.5.16-0k2.31affected
KylinSoftkylin-system-updater2.0.5.16-0k2.32affected
KylinSoftkylin-system-updater2.0.5.16-0k2.33affected

Weaknesses

  • CWE-78: CWE-78 OS Command Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References