CVE-2017-8288: Input Validation
First published: Thu Apr 27 2017(Updated: )
gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Gnome-shell | =3.22.0 | |
| Gnome-shell | =3.22.1 | |
| Gnome-shell | =3.22.2 | |
| Gnome-shell | =3.22.3 | |
| Gnome-shell | =3.23.1 | |
| Gnome-shell | =3.23.2 | |
| Gnome-shell | =3.23.3 | |
| Gnome-shell | =3.23.90 | |
| Gnome-shell | =3.23.91 | |
| Gnome-shell | =3.23.92 | |
| Gnome-shell | =3.24.0 | |
| Gnome-shell | =3.24.1 | |
| debian/gnome-shell | 3.38.6-1~deb11u2 43.9-0+deb12u2 48.0-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/98070
- https://bugs.kali.org/view.php?id=2513
- https://bugzilla.gnome.org/show_bug.cgi?id=781728
- https://github.com/EasyScreenCast/EasyScreenCast/issues/46
- https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8288
- https://nvd.nist.gov/vuln/detail/CVE-2017-8288
- https://launchpad.net/bugs/cve/CVE-2017-8288
- https://security-tracker.debian.org/tracker/CVE-2017-8288
- https://ubuntu.com/security/CVE-2017-8288
Frequently Asked Questions
What is the severity of CVE-2017-8288?
CVE-2017-8288 has a medium severity, as it allows unauthorized access to application information through enabled extensions on the lock screen.
How do I fix CVE-2017-8288?
To mitigate CVE-2017-8288, upgrade to gnome-shell version 3.38.6-1~deb11u2 or higher.
Which versions of gnome-shell are affected by CVE-2017-8288?
CVE-2017-8288 affects gnome-shell versions 3.22.0 to 3.24.1.
What are the implications of CVE-2017-8288 for users?
Users may inadvertently expose application information to unauthorized individuals due to extensions remaining enabled in the lock screen.
Is CVE-2017-8288 a server-side vulnerability?
CVE-2017-8288 is primarily a client-side vulnerability affecting the gnome-shell user interface.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/remedy
- agent/first-publish-date
- agent/references
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- collector/security-tracker-debian
- source/Debian
- vendor/gnome
- canonical/gnome-shell
- version/gnome-shell/3.22.0
- version/gnome-shell/3.22.1
- version/gnome-shell/3.22.2
- version/gnome-shell/3.22.3
- version/gnome-shell/3.23.1
- version/gnome-shell/3.23.2
- version/gnome-shell/3.23.3
- version/gnome-shell/3.23.90
- version/gnome-shell/3.23.91
- version/gnome-shell/3.23.92
- version/gnome-shell/3.24.0
- version/gnome-shell/3.24.1
- package-manager/debian