CVE-2023-49342: 
Linux Debian vulnerability analysis and mitigation

The vulnerability (CVE-2023-49342) affects the Budgie Extras Clockworks applet, discovered in December 2023. The issue involves temporary data being stored in a publicly accessible location that could be manipulated by local users. The vulnerability affects Budgie Extras versions from 1.4.0 up to (excluding) 1.7.1 (NVD, Ubuntu Security).

The vulnerability stems from the use of predictable temporary file paths in the /tmp directory by the Clockworks applet. The application stores data in a location that is accessible to any user with local system access. The CVSS v3.1 base score is 6.0 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H, indicating local access is required but no user interaction is needed (NVD, GitHub Advisory).

The vulnerability allows attackers to potentially view or manipulate temporary data passed between application components. Attackers with local access can pre-create and control the file to present false information to users or deny access to the application and panel. Since the applet runs in the same thread as the budgie panel, crashing the applet can potentially crash the entire panel (GitHub Advisory).

The vulnerability has been fixed in version 1.7.1 of Budgie Extras. The fix involves replacing the public /tmp directory with the user's private XDG_RUNTIME_DIR, with a fallback to the user's HOME directory. As a temporary workaround, the issue can be mitigated by having only one user account on the system and limiting physical access to other users (GitHub Advisory, Ubuntu Security).