What is CVE-2014-8517?

CVE-2014-8517 is a vulnerability in Apple Mac_os_x, classified under Command Injection. Published 2014-11-17.

Is CVE-2014-8517 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Apple Mac_os_x

CVE-2014-8517

The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.850 (99.4th percentile) — read the EPSS interpretation.

Affected products

Apple Mac_os_x — versions 10.8.5, 10.9.5, 10.10.0
Netbsd — versions 5.1, 5.1.1, 5.1.2
N/a — versions n/a

Weakness classification (CWE)

CWE-77 — Command Injection

Public proof-of-concept exploits

References

NetBSD-SA2014-013 (vendor-advisory, x_refsource_NETBSD, Patch, Vendor Advisory)
62028 (x_refsource_SECUNIA, third-party-advisory)
43112 (exploit, x_refsource_EXPLOIT-DB)
[oss-security] 20141028 Re: ftp(1) can be made execute arbitrary commands by malicious webserver (mailing-list, x_refsource_MLIST)
cve@mitre.org (x_refsource_CONFIRM)
GLSA-201611-05 (vendor-advisory, x_refsource_GENTOO)
openSUSE-SU-2014:1383 (vendor-advisory, x_refsource_SUSE)
APPLE-SA-2015-01-27-4 (vendor-advisory, x_refsource_APPLE)
62260 (x_refsource_SECUNIA, third-party-advisory)
[oss-security] 20141028 ftp(1) can be made execute arbitrary commands by malicious webserver (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2014-8517?: CVE-2014-8517 is a vulnerability in Apple Mac_os_x, classified under Command Injection. Published 2014-11-17.
Is CVE-2014-8517 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.