CVE-2008-4311 — Dbus vulnerability

CWE-167 documents7 sources

Severity

4.6MEDIUMNVD

EPSS

0.0%

top 90.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Freedesktop Dbus

Timeline

PublishedDec 10

Latest updateMay 2

Description

The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages2 packages

▶Debianfreedesktop/dbus< 1.2.1-5+3

▶NVDfreedesktop/dbus1.2.4+42

🔴Vulnerability Details

GHSA

GHSA-hpmr-9r6f-w2rr: The default configuration of system↗2022-05-02

▶

CVEList

CVE-2008-4311: The default configuration of system↗2008-12-10

▶

OSV

CVE-2008-4311: The default configuration of system↗2008-12-10

▶

📋Vendor Advisories

Red Hat

dbus: incorrect use of [send|receive]_requested_reply policy rule attribute in system.conf↗2008-12-05

▶

Debian

CVE-2008-4311: dbus - The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits ...↗2008

▶

💬Community

Bugzilla

CVE-2008-4311 dbus: incorrect use of [send|receive]_requested_reply policy rule attribute in system.conf↗2008-10-30

▶