Mumble before 1.3.4 allows remote code execution if a victim navigates to a crafted URL on a server list and clicks on the Open Webpage text.

The remote Ubuntu 16.04 ESM host has packages installed that are affected by a vulnerability as referenced in the USN-5195-2 advisory.

    It was discovered that the Mumble client supported websites for public servers with arbitrary URL schemes.
    If a user were tricked into visiting a malicious website from the public server list, a remote attacker     could possibly execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-5195-1 advisory.

    It was discovered that the Mumble client supported websites for public servers with arbitrary URL schemes.
    If a user were tricked into visiting a malicious website from the public server list, a remote attacker     could possibly execute arbitrary code.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202105-13 (Mumble: User-assisted execution of arbitrary code)

    Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could entice a user to open a specially crafted server       list (web page) using Mumble, possibly resulting in execution of       arbitrary code with the privileges of the process or a Denial of Service       condition.
  Workaround :

    There is no known workaround at this time.

It was discovered that there was a a remote code execution vulnerability in mumble, a VoIP client commonly used for group chats.
The exploit could have been been triggered by a maliciously crafted URL on the server list. 

For Debian 9 'Stretch', this problem has been fixed in version 1.2.18-1+deb9u2.

We recommend that you upgrade your mumble packages.

For the detailed security status of mumble please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/mumble

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
183708	Ubuntu 16.04 ESM : Mumble vulnerability (USN-5195-2)	Nessus	Ubuntu Local Security Checks	high
156105	Ubuntu 18.04 LTS / 20.04 LTS : Mumble vulnerability (USN-5195-1)	Nessus	Ubuntu Local Security Checks	high
150004	GLSA-202105-13 : Mumble: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
146610	Debian DLA-2562-1 : mumble security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-27229

high

Tenable Plugins

high

high

high

high