Auth bypass in Freedesktop Dbus

CVE-2008-0595

dbus-daemon in D-Bus before 1.0.3, and 1.1.x before 1.1.20, recognizes send_interface attributes in allow directives in the security policy only for fully qualified method calls, which allows local users to bypass intended access restricti…

Vulnerability class: Broken Access Control

EPSS: 0.004 (32.3th percentile) — read the EPSS interpretation.

Affected products

Freedesktop Dbus
Mandrakesoft Mandrake_linux — versions 2007, 2007.0_x86_64, 2007.1
Fedoraproject Fedora — versions 7
Redhat Enterprise_linux — versions 5, 5.0
N/a — versions n/a

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

References

secalert@redhat.com (x_refsource_SECUNIA, Broken Link, third-party-advisory)
secalert@redhat.com (vdb-entry, Broken Link, x_refsource_VUPEN)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (vendor-advisory, Third Party Advisory, x_refsource_SUSE)
secalert@redhat.com (mailing-list, x_refsource_MLIST, Patch, Third Party Advisory)
secalert@redhat.com (x_refsource_SECUNIA, Broken Link, third-party-advisory)
secalert@redhat.com (x_refsource_SECUNIA, Broken Link, third-party-advisory)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
secalert@redhat.com (vendor-advisory, x_refsource_FEDORA, Third Party Advisory)
secalert@redhat.com (x_refsource_SECUNIA, Broken Link, third-party-advisory)