Upstream information

CVE-2023-51698 at MITRE

Description

Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having critical severity.

CVSS v3 Scores
CVSS detail CNA (GitHub) National Vulnerability Database
Base Score 9.6 8.8
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction Required Required
Scope Changed Unchanged
Confidentiality Impact High High
Integrity Impact High High
Availability Impact Low High
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1218806 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • atril >= 1.26.1-2.1
  • atril-backends >= 1.26.1-2.1
  • atril-devel >= 1.26.1-2.1
  • atril-doc >= 1.26.1-2.1
  • atril-lang >= 1.26.1-2.1
  • atril-thumbnailer >= 1.26.1-2.1
  • caja-extension-atril >= 1.26.1-2.1
  • libatrildocument3 >= 1.26.1-2.1
  • libatrilview3 >= 1.26.1-2.1
  • typelib-1_0-AtrilDocument-1_5_0 >= 1.26.1-2.1
  • typelib-1_0-AtrilView-1_5_0 >= 1.26.1-2.1
 Patchnames:
openSUSE-Tumbleweed-2024-13614

SUSE Timeline for this CVE

CVE page created: Fri Jan 12 23:00:19 2024
CVE page last modified: Mon Oct 6 19:47:55 2025