CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42012 – dbus: `_dbus_marshal_byteswap` doesn't process fds in messages with "foreign" endianness correctly
https://notcve.org/view.php?id=CVE-2022-42012
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash by sending a message with attached file descriptors in an unexpected format. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y otros programas que usa... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/417 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42010 – dbus: dbus-daemon crashes when receiving message with incorrectly nested parentheses and curly brackets
https://notcve.org/view.php?id=CVE-2022-42010
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message with certain invalid type signatures. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y otros programas que usan libdbus sean... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/418 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 1CVE-2022-42011 – dbus: dbus-daemon can be crashed by messages with array length inconsistent with element type
https://notcve.org/view.php?id=CVE-2022-42011
09 Oct 2022 — An issue was discovered in D-Bus before 1.12.24, 1.13.x and 1.14.x before 1.14.4, and 1.15.x before 1.15.2. An authenticated attacker can cause dbus-daemon and other programs that use libdbus to crash when receiving a message where an array length is inconsistent with the size of the element type. Se ha detectado un problema en D-Bus versiones anteriores a 1.12.24, versiones 1.13.x y 1.14.x anteriores a 1.14.4, y versiones 1.15.x anteriores a 1.15.2. Un atacante autenticado puede causar que dbus-daemon y ot... • https://gitlab.freedesktop.org/dbus/dbus/-/issues/413 • CWE-129: Improper Validation of Array Index CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2019-12749 – dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass
https://notcve.org/view.php?id=CVE-2019-12749
11 Jun 2019 — dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a ... • http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00059.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 49EXPL: 2CVE-2009-1189 – dbus: invalid fix for CVE-2008-3834
https://notcve.org/view.php?id=CVE-2009-1189
27 Apr 2009 — The _dbus_validate_signature_with_reason function (dbus-marshal-validate.c) in D-Bus (aka DBus) before 1.2.14 uses incorrect logic to validate a basic type, which allows remote attackers to spoof a signature via a crafted key. NOTE: this is due to an incorrect fix for CVE-2008-3834. La función _dbus_validate_signature_with_reason (dbus-marshal-validate.c) en D-Bus (también conocido como DBus) en versiones anteriores a 1.2.14 utiliza lógica incorrecta para validar un tipo básico, lo que permite a atacantes r... • http://bugs.freedesktop.org/show_bug.cgi?id=17803 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 46EXPL: 0CVE-2008-4311
https://notcve.org/view.php?id=CVE-2008-4311
10 Dec 2008 — The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply. La configuración por defecto de system.conf en D-Bus (alias DBus) y versiones anteriores a 1.2.6 omite el atributo send_type en ciertas reglas, el cual permite a los usuarios locales evitar las r... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532 • CWE-16: Configuration •
CVSS: 10.0EPSS: 3%CPEs: 44EXPL: 1CVE-2008-3834 – D-Bus Daemon < 1.2.4 - 'libdbus' Denial of Service
https://notcve.org/view.php?id=CVE-2008-3834
07 Oct 2008 — The dbus_signature_validate function in the D-bus library (libdbus) before 1.2.4 allows remote attackers to cause a denial of service (application abort) via a message containing a malformed signature, which triggers a failed assertion error. La función dbus_signature_validat en la librería D-bus (libdbus), versiones anteriores a 1.2.4, permite a los atacantes remotos causar una denegación de servicios (aplicación suspendida) a través de un mensaje que contiene una firma mal formada, el cual lanza un error ... • https://www.exploit-db.com/exploits/7822 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2008-0595 – dbus security policy circumvention
https://notcve.org/view.php?id=CVE-2008-0595
29 Feb 2008 — dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restrictions via a method call with a NULL interface. dbus-daemon en D-Bus anterior a 1.0.3 y 1.1.x anterior a 1.1.20, reconoce atributos de send_interface en directivas de permiso en la política de seguridad sólo para llamadas a métodos completamente cualificados, esto permite a u... • http://lists.freedesktop.org/archives/dbus/2008-February/009401.html • CWE-863: Incorrect Authorization •