Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03eDQ4LTc0NjYtM2czM800CA
Command injection in guake
Guake is a drop-down terminal for GNOME. The package guake before 3.8.5 is vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. Note: Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.
Permalink: https://github.com/advisories/GHSA-7x48-7466-3g33JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03eDQ4LTc0NjYtM2czM800CA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: over 1 year ago
CVSS Score: 6.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
Identifiers: GHSA-7x48-7466-3g33, CVE-2021-23556
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-23556
- https://github.com/Guake/guake/issues/1796
- https://github.com/Guake/guake/pull/2017
- https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888
- https://github.com/Guake/guake/releases
- https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334
- https://github.com/pypa/advisory-database/tree/main/vulns/guake/PYSEC-2022-165.yaml
- https://github.com/advisories/GHSA-7x48-7466-3g33
Blast Radius: 8.3
Affected Packages
pypi:guake
Dependent packages: 0Dependent repositories: 20
Downloads: 669 last month
Affected Version Ranges: < 3.8.5
Fixed in: 3.8.5
All affected versions: 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.4.0, 3.5.0, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.0
All unaffected versions: 3.8.5, 3.9.0