Bug 2239091 (CVE-2023-43091)

Summary: CVE-2023-43091 gnome-maps: GNOME Maps is vulnerable to a code injection attack (similar to XSS) via its service.json
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gnome-maps 44.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in GNOME Maps, which is vulnerable to a code injection attack via its service.json configuration file. If the configuration file is malicious, it may execute arbitrary code.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2239092    
Bug Blocks:    

Description Sandipan Roy 2023-09-15 07:26:43 UTC 
GNOME Maps is vulnerable to a code injection attack (similar to XSS) 
via its service.json configuration file downloaded from 
https://static.gnome.org/gis.gnome.org/v1/service.json. If the 
configuration file is malicious, it may execute arbitrary code.

Affected versions: 43 prior to 43.7, 44 prior to 44.4

Discoverer/Credit: Michael Evans

References, additional information:
https://gitlab.gnome.org/GNOME/gnome-maps/-/issues/588
https://gitlab.gnome.org/GNOME/gnome-maps/-/commit/d26cd774d524404ef7784e6808f551de83de4bea
Comment 1 Sandipan Roy 2023-09-15 07:27:01 UTC 
Created gnome-maps tracking bugs for this issue:

Affects: fedora-all [bug 2239092]