Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-43641

Опубликовано: 09 окт. 2023
Источник: redhat
CVSS3: 8.8

Описание

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to ~/Downloads, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

A flaw was found in libcue, which is consumed by the tracker-miners application. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious web page, allowing remote code execution.

Отчет

The libcue library is disabled in Red Hat builds of the tracker-miners package making Red Hat Enterprise Linux 7, 8 and 9 not affected by this vulnerability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 7tracker-minersNot affected
Red Hat Enterprise Linux 8tracker-minersNot affected
Red Hat Enterprise Linux 9tracker-minersNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-787
https://bugzilla.redhat.com/show_bug.cgi?id=2243166libcue: out-of-bounds array access leads to RCE

8.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-43641

CVSS3: 8.8
ubuntu
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

nvd логотип

CVE-2023-43641

CVSS3: 8.8
nvd
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.

debian логотип

CVE-2023-43641

CVSS3: 8.8
debian
больше 1 года назад

libcue provides an API for parsing and extracting data from CUE sheets ...

suse-cvrf логотип

SUSE-SU-2023:4090-1

suse-cvrf
больше 1 года назад

Security update for libcue

fstec логотип

BDU:2023-06566

CVSS3: 8.8
fstec
больше 1 года назад

Уязвимость прикладного программного интерфейса библиотеки libcue, позволяющая нарушителю выполнить произвольный код

8.8 High

CVSS3

Уязвимость CVE-2023-43641