CVE-2009-1189Improper Input Validation in Dbus

CWE-20Improper Input Validation8 documents8 sources
Severity
3.6LOWNVD
CNA2.1OSV2.1
EPSS
1.1%
top 21.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Freedesktop Dbus
Timeline
PublishedApr 27
Latest updateMay 2

Description

The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834.

CVSS vector

AV:L/AC:L/C:N/I:P/A:PExploitability: 3.9 | Impact: 4.9

Affected Packages2 packages

Debianfreedesktop/dbus< 1.2.14-1+3
NVDfreedesktop/dbus1.2.3+45

Patches

Patch: www.freedesktop.orgPatch: www.freedesktop.org

🔴Vulnerability Details

3
GHSA
GHSA-2332-hcww-wjmr: The _dbus_validate_signature_with_reason function (dbus-marshal-validate2022-05-02
CVEList
CVE-2009-1189: The _dbus_validate_signature_with_reason function (dbus-marshal-validate2009-04-27
OSV
CVE-2009-1189: The _dbus_validate_signature_with_reason function (dbus-marshal-validate2009-04-27

📋Vendor Advisories

3
Ubuntu
D-Bus vulnerability2009-07-13
Red Hat
dbus: invalid fix for CVE-2008-38342009-04-16
Debian
CVE-2009-1189: dbus - The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D...2009

💬Community

1
Bugzilla
CVE-2009-1189 dbus: invalid fix for CVE-2008-38342009-04-20
CVE-2009-1189 — Improper Input Validation in Dbus | cvebase