Anolis OS update for gnome-shell-extensions and gnome-shell

Published: 2025-03-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2024-36472
CWE-ID	CWE-254
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software	Anolis OS Operating systems & Components / Operating system gnome-shell-extensions-doc Operating systems & Components / Operating system package or component gnome-shell-extension-workspace-indicator Operating systems & Components / Operating system package or component gnome-shell-extension-windowsNavigator Operating systems & Components / Operating system package or component gnome-shell-extension-window-list Operating systems & Components / Operating system package or component gnome-shell-extension-user-theme Operating systems & Components / Operating system package or component gnome-shell-extension-updates-dialog Operating systems & Components / Operating system package or component gnome-shell-extension-top-icons Operating systems & Components / Operating system package or component gnome-shell-extension-systemMonitor Operating systems & Components / Operating system package or component gnome-shell-extension-screenshot-window-sizer Operating systems & Components / Operating system package or component gnome-shell-extension-places-menu Operating systems & Components / Operating system package or component gnome-shell-extension-panel-favorites Operating systems & Components / Operating system package or component gnome-shell-extension-native-window-placement Operating systems & Components / Operating system package or component gnome-shell-extension-launch-new-instance Operating systems & Components / Operating system package or component gnome-shell-extension-heads-up-display Operating systems & Components / Operating system package or component gnome-shell-extension-gesture-inhibitor Operating systems & Components / Operating system package or component gnome-shell-extension-drive-menu Operating systems & Components / Operating system package or component gnome-shell-extension-desktop-icons Operating systems & Components / Operating system package or component gnome-shell-extension-dash-to-panel Operating systems & Components / Operating system package or component gnome-shell-extension-dash-to-dock Operating systems & Components / Operating system package or component gnome-shell-extension-common Operating systems & Components / Operating system package or component gnome-shell-extension-classification-banner Operating systems & Components / Operating system package or component gnome-shell-extension-auto-move-windows Operating systems & Components / Operating system package or component gnome-shell-extension-apps-menu Operating systems & Components / Operating system package or component gnome-classic-session Operating systems & Components / Operating system package or component gnome-shell Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Security features bypass

EUVDB-ID: #VU94782

Risk: Medium

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-36472

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing access restrictions in portal helper, which can be launched automatically without user confirmation based on network responses provided by an adversary in the local network (e.g. WI-Fi). A remote attacker can consume system resources or perform other actions depending on the JavaScript code's behavior.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 8

gnome-shell-extensions-doc: before 40.7-19.0.1

gnome-shell-extension-workspace-indicator: before 40.7-19.0.1

gnome-shell-extension-windowsNavigator: before 40.7-19.0.1

gnome-shell-extension-window-list: before 40.7-19.0.1

gnome-shell-extension-user-theme: before 40.7-19.0.1

gnome-shell-extension-updates-dialog: before 40.7-19.0.1

gnome-shell-extension-top-icons: before 40.7-19.0.1

gnome-shell-extension-systemMonitor: before 40.7-19.0.1

gnome-shell-extension-screenshot-window-sizer: before 40.7-19.0.1

gnome-shell-extension-places-menu: before 40.7-19.0.1

gnome-shell-extension-panel-favorites: before 40.7-19.0.1

gnome-shell-extension-native-window-placement: before 40.7-19.0.1

gnome-shell-extension-launch-new-instance: before 40.7-19.0.1

gnome-shell-extension-heads-up-display: before 40.7-19.0.1

gnome-shell-extension-gesture-inhibitor: before 40.7-19.0.1

gnome-shell-extension-drive-menu: before 40.7-19.0.1

gnome-shell-extension-desktop-icons: before 40.7-19.0.1

gnome-shell-extension-dash-to-panel: before 40.7-19.0.1

gnome-shell-extension-dash-to-dock: before 40.7-19.0.1

gnome-shell-extension-common: before 40.7-19.0.1

gnome-shell-extension-classification-banner: before 40.7-19.0.1

gnome-shell-extension-auto-move-windows: before 40.7-19.0.1

gnome-shell-extension-apps-menu: before 40.7-19.0.1

gnome-classic-session: before 40.7-19.0.1

gnome-shell: before 40.10-21

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:1083

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.