CVE-2017-1000024
Published: 17 July 2017
Shotwell version 0.24.4 or earlier and 0.25.3 or earlier is vulnerable to an information disclosure in the web publishing plugins resulting in potential password and oauth token plaintext transmission
Priority
Status
Package | Release | Status |
---|---|---|
shotwell Launchpad, Ubuntu, Debian |
zesty |
Released
(0.22.0+git20160108.r1.f2fb1f7-0ubuntu3.1)
|
trusty |
Released
(0.18.0-0ubuntu4.5)
|
|
upstream |
Released
(0.24.5, 0.25.4)
|
|
xenial |
Released
(0.22.0+git20160108.r1.f2fb1f7-0ubuntu1.1)
|
|
yakkety |
Ignored
(end of life)
|
|
Patches: upstream: https://git.gnome.org/browse/shotwell/commit/?h=shotwell-0.24&id=bc26ea644264c85b9355f265b2e0afefe4943986 (0.24.x) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |