CVE-2023-49346: 
Linux Debian vulnerability analysis and mitigation

The CVE-2023-49346 vulnerability affects the Budgie Extras WeatherShow applet, discovered and disclosed in December 2023. This security flaw involves temporary data passed between application components that could be viewed or manipulated. The vulnerability affects versions from 1.4.0 up to (excluding) 1.7.1 of the budgie-extras package (GitHub Advisory, Ubuntu Advisory).

The vulnerability stems from improper handling of temporary file paths where weather data is stored in a location accessible to any user with local system access. The issue has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Canonical Ltd. assessed it with a score of 6.0 (MEDIUM) with vector string CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H. The vulnerability is categorized under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-377 (Insecure Temporary File) (NVD).

The vulnerability allows local attackers to potentially view and manipulate weather data displayed by the applet. Since the applet runs in the same thread as the budgie-panel, exploitation could lead to the entire panel crashing. Additionally, attackers can present false information to users or deny access to the application and panel (GitHub Advisory).

The vulnerability has been fixed in version 1.7.1 of budgie-extras. The fix involves replacing the public /tmp directory with the user's private XDG_RUNTIME_DIR, with a fallback to the user's HOME directory. As a temporary workaround before updating, the issue can be mitigated by limiting the system to a single user account and restricting physical access to other users (GitHub Advisory).