Skip to content

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

High
josevalim published GHSA-564w-97r7-c6p9 Jun 21, 2023

Package

No package listed

Affected versions

0.8.0, 0.8.1, 0.9.0, 0.9.1, 0.9.2

Patched versions

0.8.2, 0.9.3

Description

On Windows, it is possible to open a livebook:// link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine.

Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.

Severity

High

CVE ID

CVE-2023-35174

Weaknesses

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Learn more on MITRE.

Credits