CVE-2024-36472 Affecting gnome-shell-extension-apps-menu package, versions <0:40.7-19.el9
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-ALMALINUX9-GNOMESHELLEXTENSIONAPPSMENU-8383985
- published 19 Nov 2024
- disclosed 12 Nov 2024
How to fix?
Upgrade AlmaLinux:9 gnome-shell-extension-apps-menu to version 0:40.7-19.el9 or higher.
This issue was patched in ALSA-2024:9114.
NVD Description
Note: Versions mentioned in the description apply only to the upstream gnome-shell-extension-apps-menu package and not the gnome-shell-extension-apps-menu package as distributed by AlmaLinux.
See How to fix? for AlmaLinux:9 relevant fixed versions and status.
In GNOME Shell through 45.7, a portal helper can be launched automatically (without user confirmation) based on network responses provided by an adversary (e.g., an adversary who controls the local Wi-Fi network), and subsequently loads untrusted JavaScript code, which may lead to resource consumption or other impacts depending on the JavaScript code's behavior.
References
- https://errata.almalinux.org/8/ALSA-2024-5298.html
- https://errata.almalinux.org/9/ALSA-2024-9114.html
- https://access.redhat.com/security/cve/CVE-2024-36472
- https://access.redhat.com/errata/RHSA-2024:5298
- https://access.redhat.com/errata/RHSA-2024:9114
- https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688