Security features bypass in tracker-miners - CVE-2023-5557
Published: November 22, 2023
Vulnerability identifier: #VU83441
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-5557
CWE-ID: CWE-254
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
tracker-miners
tracker-miners
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improperly imposed security restrictions. A malicious file can execute code outside the sandbox if the tracker-extract process has first been compromised by a separate vulnerability.
How to mitigate CVE-2023-5557
Install updates from vendor's website.
Sources
- https://bugzilla.redhat.com/show_bug.cgi?id=2243096
- https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/#tracker-miners-seccomp-sandbox-escape
- https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277
- https://gitlab.gnome.org/GNOME/tracker-miners/-/merge_requests/480