CVE-2017-14604

MEDIUM

GNOME Nautilus <3.23.90 - Info Disclosure

Title source: llm
STIX 2.1

Description

GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.

References (9)

Core 9
Core References
Third Party Advisory x_refsource_misc
https://github.com/freedomofpress/securedrop/issues/2238
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860268
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.gnome.org/show_bug.cgi?id=777991
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/101012
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2017/dsa-3994
Exploit, Third Party Advisory x_refsource_misc
https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0223

Scores

CVSS v3 6.5
EPSS 0.0391
EPSS Percentile 88.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (4)
debian/debian_linux 8.0
debian/debian_linux 9.0
debian/debian_linux 10.0
gnome/nautilus < 3.23.90
Published Sep 20, 2017
Tracked Since Feb 18, 2026