CVE-2017-14604Improper Input Validation in Nautilus

CWE-20Improper Input ValidationCWE-345Insufficient Verification of Data Authenticity8 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
3.9%
top 11.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gnome NautilusDebian Linux
Timeline
PublishedSep 20
Latest updateMay 13

Description

GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to ha

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDgnome/nautilus< 3.23.90
Debiangnome/nautilus< 3.25.90-1+3

Also affects: Debian Linux 10.0, 8.0, 9.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-94j8-ww24-pr2v: GNOME Nautilus before 32022-05-13
OSV
CVE-2017-14604: GNOME Nautilus before 32017-09-20
CVEList
CVE-2017-14604: GNOME Nautilus before 32017-09-20

📋Vendor Advisories

2
Red Hat
nautilus: Insufficient validation of trust of .desktop files with execute permission2017-01-31
Debian
CVE-2017-14604: nautilus - GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the...2017

💬Community

2
Bugzilla
CVE-2017-14604 nautilus: Insufficient validation of trust of .desktop files with execute permission2017-09-12
Bugzilla
CVE-2017-14604 nautilus: nautilus: Insufficient validation of trust of .desktop files with execute permission [fedora-25]2017-09-12
CVE-2017-14604 — Improper Input Validation in Nautilus | cvebase