Dive Remote Code Execution Vulnerability
Vulnerability
A remote code execution vulnerability has been identified in the Dive application, specifically in versions 0.9.0 prior to 0.9.3. This vulnerability arises from improper handling of custom URLs, which can be exploited by embedding malicious links that, when clicked, trigger the execution of arbitrary code on the user's machine. The issue is activated through Dive's custom URL handler, 'dive:', which launches the application and processes the crafted URL, leading to the execution of embedded commands.
Impact
Exploitation of this vulnerability allows for arbitrary code execution on the victim's machine, provided that Dive is installed.
Reproduction
To reproduce this vulnerability, create a custom URL that includes a 'transport' parameter set to 'stdio', along with a 'command' value that specifies a command to be executed, such as opening an application. This URL can be embedded in a website or user-generated content. When the link is clicked, Dive will process the URL and execute the command on the user's machine.
Remediation
Users can update to Dive version 0.9.4, which addresses this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.