CVE-2023-50254
Published: 22 December 2023
Summary
CVE-2023-50254 is a critical-severity Path Traversal (CWE-22) vulnerability in Deepin Deepin Reader. Its CVSS base score is 9.3 (Critical).
Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Deepin Reader, the default document viewer in Deepin Linux, contains a path traversal flaw (CWE-22 and CWE-27) in all versions prior to 6.0.7. The defect allows an attacker-supplied DOCX file to overwrite arbitrary files on the victim system, most notably shell configuration files such as .bashrc or .bash_login, thereby enabling remote code execution the next time the user opens a terminal.
An unauthenticated remote attacker can deliver the malicious document through any channel that leads the victim to open it with deepin-reader. Because the vulnerability requires user interaction yet carries a CVSS scope change, successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the opening user and potentially affect other users on the same host.
The project’s GitHub advisory (GHSA-q9jr-726g-9495) and the two commits that landed in version 6.0.7 (4db7a079 and c192fd20) confirm that the issue is resolved by adding proper path validation and rejecting unsafe file-write operations inside DOCX archives. Administrators are advised to update deepin-reader immediately and to avoid opening untrusted documents until the patch is applied.
EPSS for the CVE has remained flat at 0.0885 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-55069
Vulnerability details
Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. This is a file overwrite vulnerability. Remote code…
more
execution (RCE) can be achieved by overwriting files like .bash_rc, .bash_login, etc. RCE will be triggered when the user opens the terminal. Version 6.0.7 contains a patch for the issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.