CVE-2024-34397Authentication Bypass by Spoofing in Glib

CWE-290Authentication Bypass by SpoofingCWE-940Improper Verification of Source of a Communication Channel8 documents8 sources
Severity
5.2MEDIUMNVD
EPSS
0.2%
top 59.10%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Gnome GlibDebian LinuxFedoraproject Fedora+1 more
Timeline
PublishedMay 7
Latest updateMay 14

Description

An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shared computer, other users of the same computer can send spoofed D-Bus signals that the GDBus-based client will wrongly interpret as having been sent by the trusted system service. This could lead to the GDBus-based client behaving incorrectly, with an application-dependent impact.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:LExploitability: 0.9 | Impact: 4.2

Affected Packages1 packages

NVDgnome/glib2.79.02.80.1+1

Also affects: Ontap Tools 10, Debian Linux 10.0, Fedora 39, 40

🔴Vulnerability Details

3
GHSA
GHSA-f632-c3rh-r2v2: An issue was discovered in GNOME GLib before 22024-05-07
OSV
CVE-2024-34397: An issue was discovered in GNOME GLib before 22024-05-07
CVEList
CVE-2024-34397: An issue was discovered in GNOME GLib before 22024-05-07

📋Vendor Advisories

4
Microsoft
An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x before 2.80.1. When a GDBus-based client subscribes to signals from a trusted system service such as NetworkManager on a shar2024-05-14
Ubuntu
GLib vulnerability2024-05-09
Red Hat
glib2: Signal subscription vulnerabilities2024-05-07
Debian
CVE-2024-34397: glib2.0 - An issue was discovered in GNOME GLib before 2.78.5, and 2.79.x and 2.80.x befor...2024