{"id":"UBUNTU-CVE-2023-51698","details":"Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the target user opens a crafted document or clicks on a crafted link/URL using a maliciously crafted CBT document which is a TAR archive. A patch is available at commit ce41df6.","modified":"2026-04-22T16:58:25.405005Z","published":"2024-01-12T21:15:00Z","related":["USN-7274-1"],"upstream":["CVE-2023-51698"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-51698"},{"type":"REPORT","url":"https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2"},{"type":"REPORT","url":"https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2023-51698"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7274-1"}],"affected":[{"package":{"name":"atril","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/atril@1.20.1-2ubuntu2+esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.20.1-2ubuntu2+esm2"}]}],"versions":["1.18.1-1","1.18.3-1","1.19.6-0ubuntu1","1.20.0-0ubuntu1","1.20.1-0ubuntu1","1.20.1-1","1.20.1-2ubuntu1","1.20.1-2ubuntu2","1.20.1-2ubuntu2+esm1"],"ecosystem_specific":{"priority_reason":"Remote code execution vulnerability with available exploit and demo video.","availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"atril"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"atril-common"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"gir1.2-atril"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"gir1.2-atrildocument-1.5.0"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"gir1.2-atrilview-1.5.0"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"libatrildocument3"},{"binary_version":"1.20.1-2ubuntu2+esm2","binary_name":"libatrilview3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-51698.json"}},{"package":{"name":"atril","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/atril@1.24.0-1ubuntu0.2?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.24.0-1ubuntu0.2"}]}],"versions":["1.22.2-0ubuntu1","1.24.0-0ubuntu1","1.24.0-1","1.24.0-1ubuntu0.1"],"ecosystem_specific":{"priority_reason":"Remote code execution vulnerability with available exploit and demo video.","availability":"No subscription required","binaries":[{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"atril"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"atril-common"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"gir1.2-atril"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"gir1.2-atrildocument-1.5.0"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"gir1.2-atrilview-1.5.0"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"libatrildocument3"},{"binary_version":"1.24.0-1ubuntu0.2","binary_name":"libatrilview3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-51698.json"}},{"package":{"name":"atril","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/atril@1.26.0-1ubuntu1.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.26.0-1ubuntu1.2"}]}],"versions":["1.26.0-0ubuntu1","1.26.0-1ubuntu1","1.26.0-1ubuntu1.1"],"ecosystem_specific":{"priority_reason":"Remote code execution vulnerability with available exploit and demo video.","availability":"No subscription required","binaries":[{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"atril"},{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"atril-common"},{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"gir1.2-atrildocument-1.5.0"},{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"gir1.2-atrilview-1.5.0"},{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"libatrildocument3"},{"binary_version":"1.26.0-1ubuntu1.2","binary_name":"libatrilview3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2023/UBUNTU-CVE-2023-51698.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"high"}]}