CVSS: 6.8EPSS: 1%CPEs: 5EXPL: 1CVE-2023-34969 – dbus: dbus-daemon: assertion failure when a monitor is active and a message from the driver cannot be delivered
https://notcve.org/view.php?id=CVE-2023-34969
08 Jun 2023 — D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 • CWE-617: Reachable Assertion •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42010 – dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets
https://notcve.org/view.php?id=CVE-2022-42010
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y otros programas que usan libdbus sean... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42011 – dbus: dbus-daemon can be crashed by messages with array length inconsistent with element type
https://notcve.org/view.php?id=CVE-2022-42011
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y ot... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 • CWE-129: Improper Validation of Array Index CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42012 – dbus: `_dbus_marshal_byteswap` doesn't process fds in messages with "foreign" endianness correctly
https://notcve.org/view.php?id=CVE-2022-42012
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y otros programas que usa... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-35512 – Ubuntu Security Notice USN-5244-1
https://notcve.org/view.php?id=CVE-2020-35512
15 Feb 2021 — A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors Se encontró un fallo de uso de la memoria previamente l... • https://bugs.gentoo.org/755392 • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 3CVE-2020-12049 – dbus: denial of service via file descriptor leak
https://notcve.org/view.php?id=CVE-2020-12049
08 Jun 2020 — An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. Se detectó un problema en dbus versiones posteriores a 1.3.0 e incluyéndola y anteriores a 1.12... • https://packetstorm.news/files/id/172840 • CWE-400: Uncontrolled Resource Consumption CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2019-12749 – dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass
https://notcve.org/view.php?id=CVE-2019-12749
11 Jun 2019 — dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a ... • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00059.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-287: Improper Authentication •
CVSS: 4.7EPSS: 0%CPEs: 50EXPL: 0CVE-2015-0245 – Debian Security Advisory 3161-1
https://notcve.org/view.php?id=CVE-2015-0245
12 Feb 2015 — D-Bus 1.4.x through 1.6.x before 1.6.30, 1.8.x before 1.8.16, and 1.9.x before 1.9.10 does not validate the source of ActivationFailure signals, which allows local users to cause a denial of service (activation failure error returned) by leveraging a race condition involving sending an ActivationFailure signal before systemd responds. D-Bus 1.4.x hasta 1.6.x anterior a 1.6.30, 1.8.x anterior a 1.8.16, y 1.9.x anterior a 1.9.10 no valida la fuente de los señales ActivationFailure, lo que permite a usuarios l... • http://advisories.mageia.org/MGASA-2015-0071.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 26EXPL: 2CVE-2014-7824 – Mandriva Linux Security Advisory 2014-214
https://notcve.org/view.php?id=CVE-2014-7824
18 Nov 2014 — D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1. D-Bus hasta 1.3.0 y 1.6.x antes de 1.6.26, 1.8.x antes de 1.8.10, y 1.9.x antes de 1.9.2 permite a usuarios locales provocar una denegación de servicio (la prevención de nuevas conexiones y caíd... • http://advisories.mageia.org/MGASA-2014-0457.html • CWE-399: Resource Management Errors •
CVSS: 5.5EPSS: 0%CPEs: 17EXPL: 0CVE-2014-3635 – Mandriva Linux Security Advisory 2014-214
https://notcve.org/view.php?id=CVE-2014-3635
17 Sep 2014 — Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. Error por un paso en D-Bus 1.3.0 hasta la versión 1.6.x en versiones anteriores a 1.6.24 y 1.8.x en versiones an... • http://advisories.mageia.org/MGASA-2014-0395.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •