File Type Spoofing in GNOME Nautilus by GNOME
CVE-2017-14604

6.5MEDIUM

Key Information:

Vendor

Gnome
Status
Nautilus
Vendor
CVE Published:
20 September 2017

What is CVE-2017-14604?

GNOME Nautilus prior to version 3.23.90 is susceptible to a vulnerability that permits attackers to spoof file types using the .desktop file extension. Attackers can deceive users by manipulating the Name field to display a false extension, such as .pdf, when executing a potentially harmful command referenced in the Exec field of the .desktop file. This flaw poses a significant risk since the application provides no user interface indication that the file is, in fact, a .desktop file. While a slight mitigating factor is that the .desktop file must have execute permissions, users are encouraged to implement measures that prompt for confirmation upon encountering such files, and remember the user's preference through the metadata::trusted field.

References

https://github.com/freedomofpress/securedrop/issues/2238
x_refsource_MISC
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268
x_refsource_MISC
https://github.com/GNOME/nautilus/commit/1630f53481f445ad...
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.