CVE-2017-1000024 — Cleartext Transmission of Sensitive Info in Shotwell

CWE-319 — Cleartext Transmission of Sensitive Info CWE-200 — Sensitive Information Exposure7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.00%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Shotwell Debian Shotwell

Timeline

PublishedJul 17

Latest updateMay 13

Description

Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/shotwell< shotwell 0.25.4+really0.24.5-0.1 (bookworm)

▶Debiangnome/shotwell< 0.25.4+really0.24.5-0.1+3

▶NVDgnome/shotwell0.24.0 — 0.24.4+1

🔴Vulnerability Details

GHSA

GHSA-w69f-r5ch-7w68: Shotwell version 0↗2022-05-13

▶

OSV

CVE-2017-1000024: Shotwell version 0↗2017-07-17

▶

📋Vendor Advisories

Ubuntu

Shotwell vulnerability↗2017-08-07

▶

Red Hat

shotwell: Information disclosure in the web publishing plugins↗2017-07-07

▶

Debian

CVE-2017-1000024: shotwell - Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an inf...↗2017

▶

💬Community

Bugzilla

CVE-2017-1000024 shotwell: Information disclosure in the web publishing plugins↗2017-08-17

▶