An untrusted .desktop file with executable permission set could choose its displayed name and icon, and execute commands without warning when opened by the user. An attacker could use this flaw to trick a user into opening a .desktop file disguised as a document, such as a PDF, and execute arbitrary commands.
Find out more about CVE-2017-14604 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 4.8 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Attack Vector | Local |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | Low |
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (nautilus) | RHSA-2018:0223 | 2018-01-25 |
Platform | Package | State |
---|---|---|
Red Hat Enterprise Linux 6 | nautilus | Will not fix |
Red Hat Enterprise Linux 5 | nautilus | Will not fix |