CVE-2017-8288
moderate-risk
Published 2017-04-27
gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
Do I need to act?
-
0.40% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
Affected Products (12)
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Gnome-Shell
Affected Vendors
References (10)
Third Party Advisory
http://www.securityfocus.com/bid/98070
Issue Tracking
https://bugs.kali.org/view.php?id=2513
Issue Tracking
https://bugzilla.gnome.org/show_bug.cgi?id=781728
Third Party Advisory
https://github.com/EasyScreenCast/EasyScreenCast/issues/46
Third Party Advisory
http://www.securityfocus.com/bid/98070
Issue Tracking
https://bugs.kali.org/view.php?id=2513
Issue Tracking
https://bugzilla.gnome.org/show_bug.cgi?id=781728
Third Party Advisory
https://github.com/EasyScreenCast/EasyScreenCast/issues/46
43
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
2/34 · Minimal
Exposure
17/34 · Moderate