Vulnerability Description
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a temporary lock outage, and the resulting temporary shell availability, caused by the Linux kernel OOM killer.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Gnome-Shell | 3.14.0 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Hpc Node | 7.0 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Workstation | 7.0 |
Related Weaknesses (CWE)
References
- http://openwall.com/lists/oss-security/2014/09/29/17Mailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0535.htmlThird Party Advisory
- https://bugzilla.gnome.org/show_bug.cgi?id=737456Issue TrackingVendor Advisory
- https://git.gnome.org/browse/gnome-shell/commit/?id=a72dca361080ffc9f45ff90188a7Issue TrackingPatch
- https://git.gnome.org/browse/gnome-shell/commit/?id=f02b007337e61436aaa0e81a86adIssue TrackingPatch
- http://openwall.com/lists/oss-security/2014/09/29/17Mailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2015-0535.htmlThird Party Advisory
- https://bugzilla.gnome.org/show_bug.cgi?id=737456Issue TrackingVendor Advisory
- https://git.gnome.org/browse/gnome-shell/commit/?id=a72dca361080ffc9f45ff90188a7Issue TrackingPatch
- https://git.gnome.org/browse/gnome-shell/commit/?id=f02b007337e61436aaa0e81a86adIssue TrackingPatch
FAQ
What is CVE-2014-7300?
CVE-2014-7300 is a vulnerability with a CVSS score of 7.2 (HIGH). GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to exe...
How severe is CVE-2014-7300?
CVE-2014-7300 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-7300?
Check the references section above for vendor advisories and patch information. Affected products include: Gnome Gnome-Shell, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Hpc Node, Redhat Enterprise Linux Server, Redhat Enterprise Linux Workstation.