Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-12795

Published: 11 June 2019

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

Priority

Medium

Cvss 3 Severity Score

7.8

Score breakdown

Status

Package Release Status
gvfs
Launchpad, Ubuntu, Debian
bionic
Released (1.36.1-0ubuntu1.3.3)
cosmic
Released (1.38.1-0ubuntu1.3.2)
disco
Released (1.40.1-1ubuntu0.1)
trusty Does not exist

upstream
Released (1.40.2,1.41.3)
xenial
Released (1.28.2-1ubuntu1~16.04.3)
Patches:
upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/70dbfc68a79faac49bd3423e079cb6902522082a
upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/d8c9138bf240975848b1c54db648ec4cd516a48f
upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/a0da5f16feda323c29850c495acd86dfc8fbb262
upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/e3808a1b4042761055b1d975333a8243d67b8bfe
upstream: https://gitlab.gnome.org/GNOME/gvfs/commit/756edf6692aa245faedc9573bf88bfe78af3ead3

Severity score breakdown

Parameter Value
Base score 7.8
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H