CVE-2022-40277

2022-09-3017:15:13

CWE-20

[email protected]

web.nvd.nist.gov

cve

2022

40277

joplin

version 2.8.8

remote code execution

markdown file

nvd

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

36.2%

JSON

Joplin version 2.8.8 allows an external attacker to execute arbitrary commands remotely on any client that opens a link in a malicious markdown file, via Joplin. This is possible because the application does not properly validate the schema/protocol of existing links in the markdown file before passing them to the ‘shell.openExternal’ function.

Affected configurations

NVD

Node

joplinappjoplinMatch2.8.8

AND

linuxlinux_kernelMatch-

Node

joplinappjoplinMatch2.8.8

AND

canonicalubuntu_linuxMatch20.04-

CPENameOperatorVersion
joplinapp:joplinjoplinapp joplineq2.8.8

CPE	Name	Operator	Version
joplinapp:joplin	joplinapp joplin	eq	2.8.8

CNA Affected

[
  {
    "product": "Joplin",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "2.8.8"
      }
    ]
  }
]