CVE-2023-51698 – CVE-2023-51698 is a critical command injection ... (How to Fix)

Q: What is the severity of CVE-2023-51698?

CVE-2023-51698 has a CVSS score of 9.6 (CRITICAL). CVE-2023-51698 is a critical command injection vulnerability in Atril document viewer that allows remote code execution when a user opens a malicious CBT document. Attackers can gain immediate system access by exploiting improper input sanitization in TAR archive handling. All users of vulnerable Atril versions are affected.

📋 TL;DR

CVE-2023-51698 is a critical command injection vulnerability in Atril document viewer that allows remote code execution when a user opens a malicious CBT document. Attackers can gain immediate system access by exploiting improper input sanitization in TAR archive handling. All users of vulnerable Atril versions are affected.

💻 Affected Systems

Products:

Atril Document Viewer

Versions: All versions before commit ce41df6

Operating Systems: Linux distributions with Atril package

Default Config Vulnerable: ⚠️ Yes

Notes: Primarily affects Linux distributions that package Atril, particularly Fedora and other MATE desktop environments.

📦 What is this software?

Atril by Mate Desktop

View all CVEs affecting Atril →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining the same privileges as the user running Atril, potentially leading to lateral movement, data theft, and complete system control.

🟠

Likely Case

Remote code execution with user-level privileges, allowing file system access, credential harvesting, and installation of persistent malware.

🟢

If Mitigated

No impact if patched version is installed or if users avoid opening untrusted CBT documents.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (opening malicious document) but is straightforward once the malicious CBT file is crafted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing commit ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed

Vendor Advisory: https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2

Restart Required: No

Instructions:

1. Update Atril through your distribution's package manager. 2. For Fedora: 'sudo dnf update atril'. 3. For other distributions, check package repositories for updated version containing the fix commit.

🔧 Temporary Workarounds

Disable CBT file association

linux

Remove Atril as the default handler for CBT files to prevent automatic exploitation

xdg-mime default other_application.desktop application/x-cbt

Restrict user privileges

linux

Run Atril with reduced privileges using sandboxing

firejail atril

🧯 If You Can't Patch

Block CBT files at network perimeter and email gateways
Educate users to never open CBT documents from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if Atril version is older than commit ce41df6: 'atril --version' or check package version

Check Version:

atril --version

Verify Fix Applied:

Verify installed version includes commit ce41df6 or check with 'rpm -q atril --changelog | grep ce41df6' on RPM systems

📡 Detection & Monitoring

Log Indicators:

Atril process spawning unexpected child processes
Command execution from Atril context with unusual arguments

Network Indicators:

Outbound connections from Atril process to unexpected destinations
Download of CBT files followed by process execution

SIEM Query:

process_name:"atril" AND (process_name:"sh" OR process_name:"bash" OR process_name:"python")

📊 Metadata

CVE ID: CVE-2023-51698

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-78

Published: January 12, 2024

Last Updated: April 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-51698, you might also want to check these: