CVE-2023-3297

CWE-416 — Use After Free CWE-79 — Cross-site Scripting (XSS)10 documents9 sources

Severity

7.8HIGH

EPSS

0.0%

top 87.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Canonical Accountsservice Canonical Ubuntu Linux

Timeline

PublishedSep 1

Latest updateSep 25

Description

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 1.4 | Impact: 6.0

Affected Packages2 packages

▶NVDcanonical/accountsservice< 23.13.9-2ubuntu2+3

▶Ubuntuaccountsservice< 0.6.55-0ubuntu12~20.04.6+4

Also affects: Ubuntu Linux 20.04, 22.04, 22.10, 23.04

🔴Vulnerability Details

CVEList

CVE-2023-3297: In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to↗2023-09-01

▶

GHSA

GHSA-gr7p-26mx-9pgw: In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to↗2023-09-01

▶

OSV

CVE-2023-3297: In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to↗2023-06-28

▶

GHSA

Pimcore Cross-site Scripting in Predefined Asset Metadata module in Settings↗2023-03-31

▶

📋Vendor Advisories

Ubuntu

AccountsService vulnerability↗2023-09-25

▶

Microsoft

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice↗2023-09-12

▶

Ubuntu

AccountsService vulnerability↗2023-06-28

▶

Red Hat

accountsservice: use-after-free via a D-Bus message to the accounts-daemon process↗2023-06-28

▶

Debian

CVE-2023-3297: accountsservice - In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-aft...↗2023

▶