CVE-2019-12795

2019-06-1100:00:00

ubuntu.com

CVSS2

4.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

5.1%

JSON

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before
1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket
without configuring an authorization rule. A local attacker could connect
to this server socket and issue D-Bus method calls. (Note that the server
socket only accepts a single connection, so the attacker would have to
discover the server and connect to the socket before its owner does.)

Bugs

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930376>

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchgvfs< 1.36.1-0ubuntu1.3.3UNKNOWN
ubuntu18.10noarchgvfs< 1.38.1-0ubuntu1.3.2UNKNOWN
ubuntu19.04noarchgvfs< 1.40.1-1ubuntu0.1UNKNOWN
ubuntu16.04noarchgvfs< 1.28.2-1ubuntu1~16.04.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	gvfs	< 1.36.1-0ubuntu1.3.3	UNKNOWN
ubuntu	18.10	noarch	gvfs	< 1.38.1-0ubuntu1.3.2	UNKNOWN
ubuntu	19.04	noarch	gvfs	< 1.40.1-1ubuntu0.1	UNKNOWN
ubuntu	16.04	noarch	gvfs	< 1.28.2-1ubuntu1~16.04.3	UNKNOWN