GNOME Yelp Arbitrary File Read Vulnerability Allowing User Data Exfiltration

A vulnerability in Yelp, the GNOME help application, allows help documents to execute arbitrary JavaScript. This could lead to unauthorized access and exfiltration of user files to a remote server. The issue arises because Yelp can be manipulated to include scripts in help documents, which are then executed with the user's permissions. The vulnerability is triggered by opening a specially crafted help document that exploits this script execution capability.

Impact

Exploitation of this vulnerability allows for arbitrary file reads, with the potential to exfiltrate sensitive files, such as SSH keys, to an external server.

Reproduction

To reproduce this vulnerability, create a help document that includes a script designed to exfiltrate data. This document can be uploaded to a location accessible by the victim. Once the document is in place, the attacker can use a phishing link to direct the user to open the document via the 'ghelp' URI scheme, which Yelp handles. This action will trigger the script execution, leading to the file exfiltration.

Remediation

Users can upgrade to the patched version of Yelp available in Red Hat Enterprise Linux 8.2, 8.4, 8.6, 9.0, 9.2, 9.4, 8.8, and 9.6. For Debian 11, the updated version is 3.38.3-1+deb11u1.