CVE-2019-12749

CWE-59CWE-287Improper Authentication11 documents9 sources
Severity
7.1HIGH
EPSS
0.0%
top 92.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Freedesktop DbusCanonical Ubuntu Linux
Timeline
PublishedJun 11
Latest updateMay 24

Description

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusSe

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.8 | Impact: 5.2

Affected Packages2 packages

NVDfreedesktop/dbus1.12.01.12.16+2
Debiandbus< 1.12.16-1+3

Also affects: Ubuntu Linux 16.04, 18.04, 18.10, 19.04

🔴Vulnerability Details

3
GHSA
GHSA-2hpj-v4f4-7g4j: dbus before 12022-05-24
OSV
CVE-2019-12749: dbus before 12019-06-11
CVEList
CVE-2019-12749: dbus before 12019-06-11

📋Vendor Advisories

5
Ubuntu
DBus vulnerability2019-06-12
Red Hat
dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass2019-06-11
Ubuntu
DBus vulnerability2019-06-11
Microsoft
dbus before 1.10.28 1.12.x before 1.12.16 and 1.13.x before 1.13.12 as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some less common uses of dbus-daemon) allows cookie spoofing beca2019-06-11
Debian
CVE-2019-12749: dbus - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used i...2019

💬Community

2
Bugzilla
CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass [fedora-all]2019-06-17
Bugzilla
CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass2019-06-11
CVE-2019-12749 (HIGH CVSS 7.1) | dbus before 1.10.28 | cvebase.io