CVE-2022-27811 – CVE-2022-27811 is a critical OS command injecti... (How to Fix)

Q: What is the severity of CVE-2022-27811?

CVE-2022-27811 has a CVSS score of 9.8 (CRITICAL). CVE-2022-27811 is a critical OS command injection vulnerability in GNOME OCRFeeder that allows attackers to execute arbitrary commands on the system by crafting malicious PDF or image filenames containing shell metacharacters. This affects all users running OCRFeeder versions before 0.8.4 who process untrusted files. The vulnerability enables remote code execution with the privileges of the OCRFeeder process.

📋 TL;DR

CVE-2022-27811 is a critical OS command injection vulnerability in GNOME OCRFeeder that allows attackers to execute arbitrary commands on the system by crafting malicious PDF or image filenames containing shell metacharacters. This affects all users running OCRFeeder versions before 0.8.4 who process untrusted files. The vulnerability enables remote code execution with the privileges of the OCRFeeder process.

💻 Affected Systems

Products:

GNOME OCRFeeder

Versions: All versions before 0.8.4

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when processing PDF or image files with shell metacharacters in filenames. Any installation processing untrusted files is vulnerable.

📦 What is this software?

Ocrfeeder by Gnome

View all CVEs affecting Ocrfeeder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands with the privileges of the OCRFeeder process, potentially leading to complete system takeover, data exfiltration, or lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to install malware, create backdoors, steal sensitive data, or use the compromised system as a foothold for further attacks.

🟢

If Mitigated

Limited impact if OCRFeeder runs with minimal privileges, in isolated environments, or only processes trusted files from controlled sources.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to supply a malicious filename, which could be delivered via email attachments, downloads, or network shares. The vulnerability is trivial to exploit once the malicious file reaches the vulnerable system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.4 and later

Vendor Advisory: https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/5286120c8bc8b7ba74e0f9b19b5262b509f38cee

Restart Required: No

Instructions:

1. Update OCRFeeder to version 0.8.4 or later using your distribution's package manager. 2. For source installations: Download the latest release from GNOME GitLab, compile, and install. 3. Verify the update was successful by checking the version.

🔧 Temporary Workarounds

Restrict file processing

linux

Only allow OCRFeeder to process files from trusted sources and sanitize filenames before processing.

Run with reduced privileges

linux

Run OCRFeeder with a non-privileged user account to limit potential damage from exploitation.

sudo -u lowprivilegeuser ocrfeeder

🧯 If You Can't Patch

Disable OCRFeeder entirely if not essential for operations
Implement strict input validation and filename sanitization before files reach OCRFeeder

🔍 How to Verify

Check if Vulnerable:

Check OCRFeeder version: ocrfeeder --version. If version is below 0.8.4, the system is vulnerable.

Check Version:

ocrfeeder --version

Verify Fix Applied:

After updating, verify version is 0.8.4 or higher: ocrfeeder --version

📡 Detection & Monitoring

Log Indicators:

Unusual command execution from OCRFeeder process
Suspicious filenames with shell metacharacters being processed
Unexpected child processes spawned by OCRFeeder

Network Indicators:

Outbound connections from OCRFeeder process to unexpected destinations
Command and control traffic originating from systems running OCRFeeder

SIEM Query:

process_name="ocrfeeder" AND (process_command_line CONTAINS "bash" OR process_command_line CONTAINS "sh" OR process_command_line CONTAINS "$" OR process_command_line CONTAINS "`" OR process_command_line CONTAINS "|")

📊 Metadata

CVE ID: CVE-2022-27811

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: March 24, 2022

Last Updated: November 21, 2024

🔗 References

https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/5286120c8bc8b7ba74e0f9b19b5262b509f38cee Patch
https://gitlab.gnome.org/GNOME/ocrfeeder/-/issues/20 Exploit,Issue Tracking,Patch,Third Party Advisory
https://gitlab.gnome.org/GNOME/ocrfeeder/-/merge_requests/13 Issue Tracking,Patch,Third Party Advisory
https://gitlab.gnome.org/GNOME/ocrfeeder/-/commit/5286120c8bc8b7ba74e0f9b19b5262b509f38cee Patch
https://gitlab.gnome.org/GNOME/ocrfeeder/-/issues/20 Exploit,Issue Tracking,Patch,Third Party Advisory
https://gitlab.gnome.org/GNOME/ocrfeeder/-/merge_requests/13 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27811, you might also want to check these: