Vulnerability Details : CVE-2008-4311
The default configuration of system.conf in D-Bus (aka DBus) before 1.2.6 omits the send_type attribute in certain rules, which allows local users to bypass intended access restrictions by (1) sending messages, related to send_requested_reply; and possibly (2) receiving messages, related to receive_requested_reply.
Products affected by CVE-2008-4311
- cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.62:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.61:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.35:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.34:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.33:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.22:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.21:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.8:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.92:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.36.1:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.36:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.23.3:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.23.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.50:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.36.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.32:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.31:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.20:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.13:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.91:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.90:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.35.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.35.1:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.23.1:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.23:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.10:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.9:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:freedesktop:dbus:0.60:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2008-4311
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 10 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2008-4311
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.6
|
MEDIUM | AV:L/AC:L/Au:N/C:P/I:P/A:P |
3.9
|
6.4
|
NIST |
CWE ids for CVE-2008-4311
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2008-4311
-
https://bugs.freedesktop.org/show_bug.cgi?id=18229
18229 – send_requested_reply="true" allows all non-reply messages
-
http://secunia.com/advisories/33055
About Secunia Research | FlexeraVendor Advisory
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
#503532 - send_requested_reply="true" allows all non-reply messages - Debian Bug report logs
-
http://secunia.com/advisories/34360
About Secunia Research | Flexera
-
http://lists.opensuse.org/opensuse-updates/2012-10/msg00094.html
openSUSE-SU-2012:1418-1: moderate: update for dbus-1, dbus-1-x11
-
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00003.html
[security-announce] SUSE Security Announcement: dbus-1 (SUSE-SA:2009:013) - openSUSE Security Announce - openSUSE Mailing Lists
-
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:008 - openSUSE Security Announce - openSUSE Mailing Lists
-
https://www.redhat.com/archives/fedora-package-announce/2008-December/msg00436.html
[SECURITY] Fedora 9 Update: dbus-1.2.6-1.fc9
-
http://forums.fedoraforum.org/showthread.php?t=206797
Packagekit "failed to get a TID:" - rendered unusable
-
http://secunia.com/advisories/34642
About Secunia Research | Flexera
-
http://secunia.com/advisories/33047
About Secunia Research | FlexeraVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=474895
474895 – CVE-2008-4311
-
http://www.securityfocus.com/bid/32674
-
http://lists.freedesktop.org/archives/dbus/2008-December/010702.html
[CVE-2008-4311] DBus 1.2.6
-
http://www.vupen.com/english/advisories/2008/3355
Site en construction
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/47138
D-Bus send_requested_reply and receive_requested_reply security bypass CVE-2008-4311 Vulnerability Report
-
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.html
[security-announce] SUSE Security Summary Report: SUSE-SR:2009:009 - openSUSE Security Announce - openSUSE Mailing Lists
Jump to