{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-43641","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2023-09-20T15:35:38.146Z","datePublished":"2023-10-09T21:01:04.603Z","dateUpdated":"2025-12-16T18:23:25.393Z"},"containers":{"cna":{"title":"libcue vulnerable to out-of-bounds array access","problemTypes":[{"descriptions":[{"cweId":"CWE-787","lang":"en","description":"CWE-787: Out-of-bounds Write","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/","tags":["x_refsource_CONFIRM"],"url":"https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/"},{"name":"https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj","tags":["x_refsource_MISC"],"url":"https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj"},{"name":"https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea","tags":["x_refsource_MISC"],"url":"https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea"},{"name":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e","tags":["x_refsource_MISC"],"url":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html"},{"url":"https://www.debian.org/security/2023/dsa-5524"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/"},{"url":"http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.html"}],"affected":[{"vendor":"lipnitsk","product":"libcue","versions":[{"version":"<= 2.2.1","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2023-12-09T19:06:15.735Z"},"descriptions":[{"lang":"en","value":"libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0."}],"source":{"advisory":"GHSA-345j-mp2x-2x7w","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2023-43641","role":"CISA Coordinator","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2024-05-14T04:00:17.227655Z"}}}],"affected":[{"cpes":["cpe:2.3:a:lipnitsk:libcue:-:*:*:*:*:*:*:*"],"vendor":"lipnitsk","product":"libcue","versions":[{"status":"affected","version":"-","lessThan":"<= 2.2.1","versionType":"custom"}],"defaultStatus":"unknown"}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-12-16T18:23:25.393Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T19:44:43.840Z"},"title":"CVE Program Container","references":[{"name":"https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/","tags":["x_refsource_CONFIRM","x_transferred"],"url":"https://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/"},{"name":"https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cj"},{"name":"https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0ea"},{"name":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e","tags":["x_refsource_MISC","x_transferred"],"url":"https://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920e"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00018.html","tags":["x_transferred"]},{"url":"https://www.debian.org/security/2023/dsa-5524","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/","tags":["x_transferred"]},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/","tags":["x_transferred"]},{"url":"http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.html","tags":["x_transferred"]}]}]}}