CVE-2008-4311

2008-12-1000:30:00

CWE-16

[email protected]

web.nvd.nist.gov

cve-2008-4311

d-bus

dbus

system.conf

security vulnerability

access restrictions

local users

nvd

5.9 Medium

AI Score

Confidence

Low

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

0.0004 Low

EPSS

Percentile

9.6%

JSON

The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.

CPENameOperatorVersion
freedesktop:dbusfreedesktop dbuseq0.13
freedesktop:dbusfreedesktop dbuseq0.60
freedesktop:dbusfreedesktop dbuseq1.1.2
freedesktop:dbusfreedesktop dbuseq0.34
freedesktop:dbusfreedesktop dbuseq0.92
freedesktop:dbusfreedesktop dbuseq0.50
freedesktop:dbusfreedesktop dbuseq0.35.1
freedesktop:dbusfreedesktop dbuseq0.5
freedesktop:dbusfreedesktop dbuseq0.36.1
freedesktop:dbusfreedesktop dbuseq0.33

CPE	Name	Operator	Version
freedesktop:dbus	freedesktop dbus	eq	0.13
freedesktop:dbus	freedesktop dbus	eq	0.60
freedesktop:dbus	freedesktop dbus	eq	1.1.2
freedesktop:dbus	freedesktop dbus	eq	0.34
freedesktop:dbus	freedesktop dbus	eq	0.92
freedesktop:dbus	freedesktop dbus	eq	0.50
freedesktop:dbus	freedesktop dbus	eq	0.35.1
freedesktop:dbus	freedesktop dbus	eq	0.5
freedesktop:dbus	freedesktop dbus	eq	0.36.1
freedesktop:dbus	freedesktop dbus	eq	0.33