CVE-2008-0595

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface.
Severity
UNKNOWN
AV:L/AC:L/Au:N/C:P/I:P/A:P
Atk. Vector
LOCAL
Atk. Complexity
LOW
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
VendorProductVersion
mandrakesoftmandrake_linux
2007.0_x86_64
mandrakesoftmandrake_linux
2007.1
mandrakesoftmandrake_linux
2007.1
mandrakesoftmandrake_linux
2008.0
mandrakesoftmandrake_linux
2008.0
redhatenterprise_linux
5.0
freedesktopdbus
𝑥
< 1.0.3
freedesktopdbus
1.1.0 ≤
𝑥
< 1.1.20
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dbus
bullseye
1.12.28-0+deb11u1
fixed
bullseye (security)
1.12.24-0+deb11u1
fixed
bookworm
1.14.10-1~deb12u1
fixed
sid
1.14.10-6
fixed
trixie
1.14.10-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dbus
hardy
Fixed 1.1.20-1ubuntu1
released
gutsy
Fixed 1.1.1-3ubuntu4.2
released
feisty
Fixed 1.0.2-1ubuntu4.2
released
edgy
ignored
dapper
Fixed 0.60-6ubuntu8.3
released
References