CVE-2017-14604

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2017-14604
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14604.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2017-14604
Downstream
Related
Published
2017-09-20T08:29:00.270Z
Modified
2026-02-18T01:08:01.483219Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute permission. The solution is to ask the user to confirm that the file is supposed to be treated as a .desktop file, and then remember the user's answer in the metadata::trusted field.

References

Affected packages

Git / github.com/gnome/nautilus

Affected ranges

Type
GIT
Repo
https://github.com/gnome/nautilus
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
bc919205bf774f6af3fa7154506c46039af5a69b

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-14604.json"