CVE-2014-3477

The dbus-daemon in D-Bus 1.2.x through 1.4.x, 1.6.x before 1.6.20, and 1.8.x before 1.8.4, sends an AccessDenied error to the service instead of a client when the client is prohibited from accessing the service, which allows local users to cause a denial of service (initialization failure and exit) or possibly conduct a side-channel attack via a D-Bus message to an inactive service.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 24%
Affected Products (NVD)
VendorProductVersion
d-bus_projectd-bus
1.2.4.2
d-bus_projectd-bus
1.2.4.4
d-bus_projectd-bus
1.2.4.6
freedesktopdbus
1.2.1
freedesktopdbus
1.2.3
freedesktopdbus
1.2.4
freedesktopdbus
1.2.6
freedesktopdbus
1.2.8
freedesktopdbus
1.2.10
freedesktopdbus
1.2.12
freedesktopdbus
1.2.14
freedesktopdbus
1.2.16
freedesktopdbus
1.2.18
freedesktopdbus
1.2.20
freedesktopdbus
1.2.22
freedesktopdbus
1.2.24
freedesktopdbus
1.2.26
freedesktopdbus
1.2.28
freedesktopdbus
1.2.30
freedesktopdbus
1.3.0
freedesktopdbus
1.3.1
freedesktopdbus
1.4.0
freedesktopdbus
1.4.1
freedesktopdbus
1.4.4
freedesktopdbus
1.4.6
freedesktopdbus
1.4.8
freedesktopdbus
1.4.10
freedesktopdbus
1.4.12
freedesktopdbus
1.4.14
freedesktopdbus
1.4.16
freedesktopdbus
1.4.18
freedesktopdbus
1.4.20
freedesktopdbus
1.4.22
freedesktopdbus
1.4.24
freedesktopdbus
1.4.26
freedesktopdbus
1.6.0
freedesktopdbus
1.6.2
freedesktopdbus
1.6.4
freedesktopdbus
1.6.6
freedesktopdbus
1.6.8
freedesktopdbus
1.6.10
freedesktopdbus
1.6.12
freedesktopdbus
1.6.14
freedesktopdbus
1.6.16
freedesktopdbus
1.6.18
freedesktopdbus
1.8.0
freedesktopdbus
1.8.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
dbus
bookworm
1.14.10-1~deb12u1
fixed
bullseye
1.12.28-0+deb11u1
fixed
bullseye (security)
1.12.24-0+deb11u1
fixed
sid
1.14.10-6
fixed
squeeze
no-dsa
trixie
1.14.10-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
dbus
lucid
ignored
precise
Fixed 1.4.18-1ubuntu1.5
released
saucy
Fixed 1.6.12-0ubuntu10.1
released
trusty
Fixed 1.6.18-0ubuntu4.1
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
dbus-1
suse enterprise sap 12 SP5
1.8.22-9.38
fixed
suse enterprise server 12 SP5
1.8.22-9.38
fixed
dbus-1-x11
suse enterprise sap 12 SP5
1.8.22-9.38
fixed
suse enterprise server 12 SP5
1.8.22-9.38
fixed
libdbus-1-3
suse enterprise sap 12 SP5
1.8.22-9.28
fixed
suse enterprise server 12 SP5
1.8.22-9.28
fixed
libdbus-1-3-32bit
suse enterprise sap 12 SP5
1.8.22-9.28
fixed
suse enterprise server 12 SP5
1.8.22-9.28
fixed
References
http://advisories.mageia.org/MGASA-2014-0266.html
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567
http://lists.opensuse.org/opensuse-updates/2014-06/msg00042.html
http://lists.opensuse.org/opensuse-updates/2014-07/msg00012.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html
http://seclists.org/oss-sec/2014/q2/509
http://secunia.com/advisories/59428
http://secunia.com/advisories/59611
http://secunia.com/advisories/59798
http://www.debian.org/security/2014/dsa-2971
http://www.mandriva.com/security/advisories?name=MDVSA-2015:176
http://www.securityfocus.com/bid/67986
https://bugs.freedesktop.org/show_bug.cgi?id=78979
http://advisories.mageia.org/MGASA-2014-0266.html
http://cgit.freedesktop.org/dbus/dbus/commit/?h=dbus-1.8&id=24c590703ca47eb71ddef453de43126b90954567
http://lists.opensuse.org/opensuse-updates/2014-06/msg00042.html
http://lists.opensuse.org/opensuse-updates/2014-07/msg00012.html
http://lists.opensuse.org/opensuse-updates/2014-09/msg00049.html
http://seclists.org/oss-sec/2014/q2/509
http://secunia.com/advisories/59428
http://secunia.com/advisories/59611
http://secunia.com/advisories/59798
http://www.debian.org/security/2014/dsa-2971
http://www.mandriva.com/security/advisories?name=MDVSA-2015:176
http://www.securityfocus.com/bid/67986
https://bugs.freedesktop.org/show_bug.cgi?id=78979