CVE-2023-43091

Published: Nov 17, 2024Modified: Jun 17, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: patrick@puiterwijk.org (Secondary)

Description

A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code.

Affected (2)

Products: Gnome: Gnome Maps

Gnome

1 product

Gnome Maps

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Gnome Gnome Maps	From 43.0 to 43.7
Gnome Gnome Maps	From 44.0 to 44.4

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://bugzilla.redhat.com/show_bug.cgi?id=2239091

Source: patrick@puiterwijk.org

Issue TrackingThird Party Advisory

https://gitlab.gnome.org/GNOME/gnome-maps/-/commit/d26cd774d524404ef7784e6808f551de83de4bea

Source: patrick@puiterwijk.org

Patch

https://gitlab.gnome.org/GNOME/gnome-maps/-/issues/588

Source: patrick@puiterwijk.org

ExploitIssue Tracking

Timeline

No history available yet.