CVE-2023-49347
Published: 14 December 2023
Temporary data passed between application components by Budgie Extras Windows Previews could potentially be viewed or manipulated. The data is stored in a location that is accessible to any user who has local access to the system. Attackers may read private information from windows, present false information to users, or deny access to the application.
From the Ubuntu Security Team
Matthias Gerstner discovered that the Windows Previews application of Budgie Extras used predictable temporary file paths which are world editable. An attacker could use this to inject false information, read information, or deny access to the application.
Notes
Author | Note |
---|---|
eslerm | CWE-377 and CWE-668 |
Priority
Status
Package | Release | Status |
---|---|---|
budgie-extras Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
focal |
Needs triage
|
|
jammy |
Released
(1.4.0-1ubuntu3.1)
|
|
lunar |
Released
(1.6.0-1ubuntu0.1)
|
|
mantic |
Released
(1.7.0-3.0ubuntu1)
|
|
noble |
Needs triage
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(end of standard support)
|
|
Patches: upstream: https://github.com/UbuntuBudgie/budgie-extras/commit/588cbe6ffa72df904213d77728a3fd5bfae7195e upstream: https://github.com/UbuntuBudgie/budgie-extras/commit/a7a72c73bf4e6e5d1c54b7cc14313b47400a3a4c |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 6.0 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | High |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |