CVE-2019-13012

CWE-732Incorrect Permission Assignment11 documents9 sources
Severity
7.5HIGH
EPSS
0.8%
top 25.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gnome Glib
Timeline
PublishedJun 28
Latest updateMay 24

Description

The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir, NULL, NULL) and files using g_file_replace_contents (kfsb->file, contents, length, NULL, FALSE, G_FILE_CREATE_REPLACE_DESTINATION, NULL, NULL, NULL). Consequently, it does not properly restrict directory (and file) permissions. Instead, for directories, 0777 permissions are used; for files, default file permissions are used. This is similar to CVE-2019-1

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDgnome/glib2.0.02.59.1
Debianglib2.0< 2.60.5-1+3

Patches

Patch: gitlab.gnome.orgPatch: gitlab.gnome.org

🔴Vulnerability Details

3
GHSA
GHSA-4cmr-h54h-4w78: The keyfile settings backend in GNOME GLib (aka glib22022-05-24
OSV
CVE-2019-13012: The keyfile settings backend in GNOME GLib (aka glib22019-06-28
CVEList
CVE-2019-13012: The keyfile settings backend in GNOME GLib (aka glib22019-06-28

📋Vendor Advisories

5
Ubuntu
GLib vulnerability2019-07-08
Ubuntu
GLib vulnerability2019-07-08
Red Hat
glib2: insecure permissions for files and directories2019-06-28
Microsoft
The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates directories using g_file_make_directory_with_parents (kfsb->dir NULL NULL) and files using g_file_replace_contents (kfsb-2019-06-11
Debian
CVE-2019-13012: glib2.0 - The keyfile settings backend in GNOME GLib (aka glib2.0) before 2.60.0 creates d...2019

💬Community

2
Bugzilla
CVE-2019-13012 glib2: insecure permissions for files and directories2019-07-10
Bugzilla
CVE-2019-13012 glib2: insecure permissions for files and directories [fedora-all]2019-07-10
CVE-2019-13012 (HIGH CVSS 7.5) | The keyfile settings backend in GNO | cvebase.io