CVE-2009-1189

2009-04-2718:00:00

CWE-20

[email protected]

web.nvd.nist.gov

cve-2009-1189

d-bus

dbus

cve-2008-3834

remote attackers

signature spoofing

7.3 High

AI Score

Confidence

High

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

0.007 Low

EPSS

Percentile

80.4%

JSON

The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834.

CPENameOperatorVersion
freedesktop:dbusfreedesktop dbuseq0.13
freedesktop:dbusfreedesktop dbuseq0.60
freedesktop:dbusfreedesktop dbuseq1.1.2
freedesktop:dbusfreedesktop dbuseq0.34
freedesktop:dbusfreedesktop dbuseq0.92
freedesktop:dbusfreedesktop dbuseq0.50
freedesktop:dbusfreedesktop dbusle1.2.3
freedesktop:dbusfreedesktop dbuseq0.35.1
freedesktop:dbusfreedesktop dbuseq0.5
freedesktop:dbusfreedesktop dbuseq0.36.1

CPE	Name	Operator	Version
freedesktop:dbus	freedesktop dbus	eq	0.13
freedesktop:dbus	freedesktop dbus	eq	0.60
freedesktop:dbus	freedesktop dbus	eq	1.1.2
freedesktop:dbus	freedesktop dbus	eq	0.34
freedesktop:dbus	freedesktop dbus	eq	0.92
freedesktop:dbus	freedesktop dbus	eq	0.50
freedesktop:dbus	freedesktop dbus	le	1.2.3
freedesktop:dbus	freedesktop dbus	eq	0.35.1
freedesktop:dbus	freedesktop dbus	eq	0.5
freedesktop:dbus	freedesktop dbus	eq	0.36.1