Vulnerability Details : CVE-2017-8288
gnome-shell 3.22 through 3.24.1 mishandles extensions that fail to reload, which can lead to leaving extensions enabled in the lock screen. With these extensions, a bystander could launch applications (but not interact with them), see information from the extensions (e.g., what applications you have opened or what music you were playing), or even execute arbitrary commands. It all depends on what extensions a user has enabled. The problem is caused by lack of exception handling in js/ui/extensionSystem.js.
Vulnerability category: Input validation
Products affected by CVE-2017-8288
- cpe:2.3:a:gnome:gnome-shell:3.24.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.22.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.92:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.22.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.90:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.23.91:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.22.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.22.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnome:gnome-shell:3.24.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-8288
0.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 71 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-8288
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2017-8288
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-8288
-
https://github.com/EasyScreenCast/EasyScreenCast/issues/46
Locking Screen sometimes dock and window list will remain in view · Issue #46 · EasyScreenCast/EasyScreenCast · GitHubThird Party Advisory
-
http://www.securityfocus.com/bid/98070
GNOME gnome-shell CVE-2017-8288 Lock Screen Local Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://github.com/GNOME/gnome-shell/commit/ff425d1db7082e2755d2a405af53861552acf2a1
extensionSystem: handle reloading broken extensions · GNOME/gnome-shell@ff425d1 · GitHubIssue Tracking;Patch;Third Party Advisory
-
https://bugzilla.gnome.org/show_bug.cgi?id=781728
Bug 781728 – Extensions enabled in screenshield if one extension fails to reloadIssue Tracking
-
https://bugs.kali.org/view.php?id=2513
0002513: Lockscreen doesn't always hide the menus and the dock - Kali Linux Bug TrackerIssue Tracking
Jump to