{"id":"UBUNTU-CVE-2017-5982","details":"Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi allows remote attackers to read arbitrary files via a %2E%2E%252e (encoded dot dot slash) in the image path, as demonstrated by image/image%3A%2F%2F%2e%2e%252fetc%252fpasswd.","modified":"2026-05-20T16:06:08.587707196Z","published":"2017-02-28T18:59:00Z","upstream":["CVE-2017-5982"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-5982"},{"type":"REPORT","url":"http://seclists.org/fulldisclosure/2017/Feb/27"},{"type":"REPORT","url":"http://trac.kodi.tv/ticket/17314"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-5982"}],"affected":[{"package":{"name":"kodi","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["15.1+dfsg1-3","15.2+dfsg1-1build1","15.2+dfsg1-3","15.2+dfsg1-3ubuntu1","15.2+dfsg1-3ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-bin","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-data","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-common","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-j2me","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"15.2+dfsg1-3ubuntu1.1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"15.2+dfsg1-3ubuntu1.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:17.3+dfsg1-3","2:17.3+dfsg1-3build1","2:17.3+dfsg1-5","2:17.3+dfsg1-5build1","2:17.3+dfsg1-5build2","2:17.6+dfsg1-1","2:17.6+dfsg1-1build1","2:17.6+dfsg1-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-bin","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-common","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-ps3","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-wiiremote","binary_version":"2:17.6+dfsg1-1ubuntu1"},{"binary_name":"xbmc-eventclients-xbmc-send","binary_version":"2:17.6+dfsg1-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:19.1+dfsg2-2","2:19.3+dfsg1-1","2:19.3+dfsg1-1build2","2:19.3+dfsg1-1build3","2:19.3+dfsg1-1build4","2:19.3+dfsg1-1build5","2:19.4+dfsg1-2"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-bin","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-data","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-python","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-repository-kodi","binary_version":"2:19.4+dfsg1-2"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:19.4+dfsg1-2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:20.2+dfsg-4","2:20.2+dfsg-4build1","2:20.2+dfsg-4build2","2:20.2+dfsg-4ubuntu1","2:20.3+dfsg-1","2:20.4+dfsg-1","2:20.5+dfsg-1build2","2:20.5+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-python","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:20.5+dfsg-1ubuntu1"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:20.5+dfsg-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:21.2+dfsg-1build2","2:21.2+dfsg-4","2:21.2+dfsg-4build1","2:21.2+dfsg-4build2"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-bin","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-data","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-python","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-repository-kodi","binary_version":"2:21.2+dfsg-4build2"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:21.2+dfsg-4build2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}},{"package":{"name":"kodi","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/kodi?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2:21.2+dfsg-4build2","2:21.2+dfsg-4build3","2:21.2+dfsg-5","2:21.3+dfsg-1","2:21.3+dfsg-1build1","2:21.3+dfsg-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_name":"kodi","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-addons-dev-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-bin","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-data","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-dev-common","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-kodi-send","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-ps3","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-python","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-wiiremote","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-eventclients-zeroconf","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-repository-kodi","binary_version":"2:21.3+dfsg-1ubuntu1"},{"binary_name":"kodi-tools-texturepacker","binary_version":"2:21.3+dfsg-1ubuntu1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-5982.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}