Gtk3: gtk2: library injection from cwd
CVE-2024-6655

7HIGH

Key Information:

Vendor
Red Hat
Status
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise Linux 9
Vendor
CVE Published:
16 July 2024

Summary

A significant flaw has been identified within the GTK library, allowing an attacker to potentially inject a malicious library into a GTK application through manipulation of the current working directory. This vulnerability arises under specific conditions where the library path can be controlled, leading to possible exploitation of applications that utilize GTK for their graphical user interface. It poses risks to application integrity and could be exploited to execute arbitrary code in the context of the affected application. Mitigation and updates from vendors are essential to secure systems against this vulnerability.

Affected Version(s)

Red Hat Enterprise Linux 8 0:3.22.30-12.el8_10

References

https://access.redhat.com/errata/RHSA-2024:6963
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-6655
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2297098
issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

.