CVE-2021-23556

The package guake before 3.8.5 are vulnerable to Exposed Dangerous Method or Function due to the exposure of execute_command and execute_command_by_uuid methods via the d-bus interface, which makes it possible for a malicious user to run an arbitrary command via the d-bus method. **Note:** Exploitation requires the user to have installed another malicious program that will be able to send dbus signals or run terminal commands.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L
snykCNA
6.4 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L/E:P
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 72%
VendorProductVersion
guake-projectguake
𝑥
< 3.8.5
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
guake
bullseye
no-dsa
buster
no-dsa
stretch
postponed
bookworm
3.9.0-2
fixed
sid
3.10-2
fixed
trixie
3.10-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
guake
noble
needs-triage
mantic
ignored
lunar
ignored
kinetic
ignored
jammy
needs-triage
impish
ignored
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
References
https://github.com/Guake/guake/issues/1796
https://github.com/Guake/guake/pull/2017
https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888
https://github.com/Guake/guake/releases
https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334
https://github.com/Guake/guake/issues/1796
https://github.com/Guake/guake/pull/2017
https://github.com/Guake/guake/pull/2017/commits/e3d671120bfe7ba28f50e256cc5e8a629781b888
https://github.com/Guake/guake/releases
https://snyk.io/vuln/SNYK-PYTHON-GUAKE-2386334