CVE-2019-12795Incorrect Default Permissions in Gvfs

CWE-276Incorrect Default PermissionsCWE-285Improper Authorization9 documents7 sources
Severity
7.8HIGHNVD
OSV7.3
EPSS
0.1%
top 81.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Gnome GvfsDebian Gvfs
Timeline
PublishedJun 11
Latest updateMay 24

Description

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

NVDgnome/gvfs1.40.01.40.2+2
Debiangnome/gvfs< 1.38.1-5+3
Ubuntugnome/gvfs< 1.28.2-1ubuntu1~16.04.3+1
debiandebian/gvfs< gvfs 1.38.1-5 (bookworm)

Patches

Patch: gitlab.gnome.orgPatch: gitlab.gnome.orgPatch: gitlab.gnome.org

🔴Vulnerability Details

3
GHSA
GHSA-whx7-c8j2-42vv: daemon/gvfsdaemon2022-05-24
OSV
gvfs vulnerabilities2019-07-09
OSV
CVE-2019-12795: daemon/gvfsdaemon2019-06-11

📋Vendor Advisories

3
Ubuntu
GVfs vulnerabilities2019-07-09
Red Hat
gvfs: improper authorization in daemon/gvfsdaemon.c in gvfsd2019-06-05
Debian
CVE-2019-12795: gvfs - daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2...2019

💬Community

2
Bugzilla
CVE-2019-12795 gvfs: improper authorization in daemon/gvfsdaemon.c in gvfsd2019-07-03
Bugzilla
CVE-2019-12795 gvfs: improper authorization in daemon/gvfsdaemon.c in gvfsd [fedora-all]2019-07-03
CVE-2019-12795 — Incorrect Default Permissions in Gvfs | cvebase