CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 2CVE-2017-12447 – Ubuntu Security Notice USN-3912-1
https://notcve.org/view.php?id=CVE-2017-12447
07 Mar 2019 — GdkPixBuf (aka gdk-pixbuf), possibly 2.32.2, as used by GNOME Nautilus 3.14.3 on Ubuntu 16.04, allows attackers to cause a denial of service (stack corruption) or possibly have unspecified other impact via a crafted file folder. GdkPixBuf (también conocido como gdk-pixbuf), posiblemente en la versión 2.32.2, tal y como se utiliza en GNOME Nautilus 3.14.3 en Ubuntu 16.04 permite a los atacantes provocar una denegación de servicio (corrupción de pila) o, posiblemente, otro impacto sin especificar mediante una... • https://bugzilla.gnome.org/show_bug.cgi?id=785979 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 1CVE-2017-14604 – nautilus: Insufficient validation of trust of .desktop files with execute permission
https://notcve.org/view.php?id=CVE-2017-14604
20 Sep 2017 — GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command. In other words, Nautilus provides no UI indication that a file actually has the potentially unsafe .desktop extension; instead, the UI only shows the .pdf extension. One (slightly) mitigating factor is that an attack requires the .desktop file to have execute p... • http://www.debian.org/security/2017/dsa-3994 • CWE-20: Improper Input Validation CWE-345: Insufficient Verification of Data Authenticity •