Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2015-1327

Published: 22 April 2019

Content Hub before version 0.0+15.04.20150331-0ubuntu1.0 DBUS API only requires a file path for a content item, it doesn't actually require the confined app have access to the file to create a transfer. This could allow a malicious application using the DBUS API to export file:///etc/passwd which would then send a copy of that file to another app.

Notes

AuthorNote
jdstrand
per kenvandine, only vivid and higher are affected
vivid/stable-phone-overlay scheduled for OTA9

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
content-hub
Launchpad, Ubuntu, Debian
precise Does not exist

trusty Does not exist
(trusty was not-affected)
upstream Needs triage

utopic Not vulnerable

vivid
Released (0.0+15.04.20150331-0ubuntu1.0)
wily Ignored
(end of life)
xenial Not vulnerable

yakkety Not vulnerable

Patches:
upstream: https://chinstrap.canonical.com/~kenvandine/content-hub_0.0+15.04.20150331-0ubuntu1.0.tar
upstream: http://bazaar.launchpad.net/~phablet-team/content-hub/trunk/revision/212

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H