Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-43641

Опубликовано: 09 окт. 2023
Источник: debian
EPSS Высокий

Описание

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
libcuefixed2.2.1-4.1package

Примечания

  • https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj

  • https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/

  • Fixed by: https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e (v2.3.0)

  • https://www.openwall.com/lists/oss-security/2023/10/09/3

EPSS

Процентиль: 99%
0.78934
Высокий

Связанные уязвимости

ubuntu логотип

CVE-2023-43641

CVSS3: 8.8
ubuntu
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

redhat логотип

CVE-2023-43641

CVSS3: 8.8
redhat
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

nvd логотип

CVE-2023-43641

CVSS3: 8.8
nvd
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

suse-cvrf логотип

SUSE-SU-2023:4090-1

suse-cvrf
больше 1 года назад

Security update for libcue

fstec логотип

BDU:2023-06566

CVSS3: 8.8
fstec
больше 1 года назад

Уязвимость прикладного программного интерфейса библиотеки libcue, позволяющая нарушителю выполнить произвольный код

EPSS

Процентиль: 99%
0.78934
Высокий