CVE-2015-1327

Publication date 22 April 2019

Last updated 25 August 2025

Ubuntu priority

Cvss 3 Severity Score

Description

Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer. This could allow a malicious application using the DBUS API to export file:///etc/passwd which would then send a copy of that file to another app.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
content-hub	16.10 yakkety	Not affected
	16.04 LTS xenial	Not affected
	15.10 wily	Ignored end of life
	15.04 vivid	Fixed 0.0+15.04.20150331-0ubuntu1.0
	14.10 utopic	Not affected
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release

Notes

jdstrand

per kenvandine, only vivid and higher are affected vivid/stable-phone-overlay scheduled for OTA9

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
content-hub	Upstream: https://chinstrap.canonical.com/~kenvandine/content-hub_0.0+15.04.20150331-0ubuntu1.0.tar Upstream: http://bazaar.launchpad.net/~phablet-team/content-hub/trunk/revision/212

Severity score breakdown

Parameter	Value
Base score	7.8 · High
Attack vector	Local
Attack complexity	Low
Privileges required	None
User interaction	Required
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Other references

https://www.cve.org/CVERecord?id=CVE-2015-1327