CVE-2020-17368

Description

Firejail through 0.9.62 mishandles shell metacharacters during use of the --output or --output-stderr option, which may lead to command injection.

Link	Tags
https://github.com/netblue30/firejail/	third party advisory
https://www.debian.org/security/2020/dsa-4742	third party advisory vendor advisory
https://www.debian.org/security/2020/dsa-4743	third party advisory vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00036.html	mailing list third party advisory vendor advisory
https://lists.debian.org/debian-lts-announce/2020/08/msg00033.html	third party advisory mailing list
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W66IR5YT4KG464SKEMQN2NP2LGATGEGS/	vendor advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JFXN3JJG4DIMN4TAHOTKFMS7SGM4EOTR/	vendor advisory
https://security.gentoo.org/glsa/202101-02	third party advisory vendor advisory

What is the severity of CVE-2020-17368?: CVE-2020-17368 has been scored as a critical severity vulnerability.
How to fix CVE-2020-17368?: To fix CVE-2020-17368, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2020-17368 being actively exploited in the wild?: It is possible that CVE-2020-17368 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~4% probability that this vulnerability will be exploited by malicious actors in the next 30 days.