View at Official debian advisory, NVD, CVE.org · CVE detail
Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.
CVE-2017-15108 not yet assigned priority: Debian including 1 source packages (spice-vdagent), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.
spice-vdagent up to and including 0.17.0 does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.