CVE-2008-0595
MEDIUM severity · CVSS 4.6 · Incorrect authorization
4.6CVSS MEDIUM
Summary
dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.
Impact & exploitability
Attack vectorLocal
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)0%
AV:L/AC:L/Au:N/C:P/I:P/A:P
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: http://lists.freedesktop.org/archives/dbus/2008-February/009401.html ↗
Additional information
- NVD record
- http://lists.freedesktop.org/archives/dbus/2008-February/009401.htmlPatch
- http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00004.htmlAdvisory
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.htmlAdvisory
- http://secunia.com/advisories/29148
- http://secunia.com/advisories/29160
- http://secunia.com/advisories/29171
- http://secunia.com/advisories/29173
- http://secunia.com/advisories/29281