CVE-2023-49344: 
Linux Debian vulnerability analysis and mitigation

Budgie Extras Window Shuffler applet contains a vulnerability (CVE-2023-49344) where temporary data passed between application components could be viewed or manipulated. The vulnerability was discovered in versions from 1.4.0 up to (excluding) 1.7.1, and was disclosed on December 14, 2023. The issue affects the Window Shuffler component of the Budgie Extras package, which is part of the Budgie desktop environment (GHSA Advisory, NVD).

The vulnerability stems from the application storing temporary data in a location accessible to any user with local system access. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Canonical Ltd. assessed it at 6.0 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H. The vulnerability is categorized under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-377 (Insecure Temporary File) (NVD).

The vulnerability allows attackers to potentially view or manipulate temporary data, present false information to users, or deny access to the application and panel. The impact includes the possibility of displaying attacker-controlled content in the victim's GUI, manipulation of window management behaviors, and potential denial-of-service conditions (GHSA Advisory).

The vulnerability has been fixed in version 1.7.1 of budgie-extras. Ubuntu has released security updates for affected versions: Ubuntu 23.10 (1.7.0-3.0ubuntu1), Ubuntu 23.04 (1.6.0-1ubuntu0.1), and Ubuntu 22.04 (1.4.0-1ubuntu3.1). As a workaround before applying patches, the impact can be mitigated by limiting the system to a single user account and restricting physical access to the host system (USN-6556-1).