Input validation error in gnome-shell
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2017-8288 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
gnome-shell Client/Desktop applications / Software for system administration |
| Vendor | Gnome Development Team |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Input validation error
EUVDB-ID: #VU39101
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-8288
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
MitigationInstall update from vendor's website.
Vulnerable software versionsgnome-shell: 3.22.0 - 3.24.1
CPE2.3 External linkshttps://www.securityfocus.com/bid/98070
https://bugs.kali.org/view.php?id=2513
https://bugzilla.gnome.org/show_bug.cgi?id=781728
https://github.com/EasyScreenCast/EasyScreenCast/issues/46
https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
