Bug 1941478 (CVE-2021-22191) - CVE-2021-22191 wireshark: improper URL handling may lead to remote code execution
Summary: CVE-2021-22191 wireshark: improper URL handling may lead to remote code execu...
Alias: CVE-2021-22191
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1941479
Blocks: 1941480
TreeView+ depends on / blocked
Reported: 2021-03-22 09:06 UTC by Marian Rehak
Modified: 2021-09-29 17:58 UTC (History)
9 users (show)

Fixed In Version: wireshark 3.4.4, wireshark 3.2.12
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in Wireshark. An attacker who sends malicious links with schemes other than http/https over the wire or via a pcapng file, and who is able to get a victim user of Wireshark's user interface to click these links, could perform actions such as mounting volumes, or in some cases launching undesired programs.
Clone Of:
Last Closed: 2021-04-01 05:35:10 UTC

Attachments (Terms of Use)

Description Marian Rehak 2021-03-22 09:06:38 UTC
Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file.

Upstream Reference:


Comment 1 Marian Rehak 2021-03-22 09:07:17 UTC
Created wireshark tracking bugs for this issue:

Affects: fedora-all [bug 1941479]

Comment 2 Todd Cullum 2021-03-24 21:08:15 UTC
Flaw summary:

In Wireshark's graphical user interface, clicking URIs in pcapng files and wire captures causes them to be "opened" by the default program. In the case of HTTP and HTTPS schemes, this normally occurs in the default web browser. However, other schemes such as file, ftp, dav, nfs, etc... can perform undesired actions such as running a .desktop file or mounting an NFS volume, depending on system configuration. This, along with social engineering, could be used by an attacker to trick the user into mounting an undesired volume or in the worst case, code execution. The attack requires the victim user to click/open a malicious URI, and system configuration to execute that file, in order to be exploited. The patch modifies ProtoTree::itemDoubleClicked() to only allow http & https. The root cause is arbitrary schemes being passed to QDesktopServices::openUrl().

Comment 3 Todd Cullum 2021-03-24 21:08:30 UTC
External References:


Comment 4 Todd Cullum 2021-03-24 21:42:13 UTC

This flaw can be entirely mitigated by ensuring that Wireshark users do not click arbitrary links found in wire captures and from pcapng files. The exploitation of this flaw requires the user to click links found in the Wireshark UI.

Comment 5 Todd Cullum 2021-03-31 23:57:05 UTC

Versions of Wireshark shipped with Red Hat Enterprise Linux 6, 7, and 8 are not affected by this flaw.

Comment 6 Product Security DevOps Team 2021-04-01 05:35:10 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.