CVE-2023-34969

D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gitlab.freedesktop.org/dbus/dbus/-/issues/457	Exploit Issue Tracking Mitigation Patch Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20231208-0007/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:freedesktop:dbus::::::::
	cpe:2.3:a:freedesktop:dbus::::::::
	cpe:2.3:a:freedesktop:dbus::::::::

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-06-08 03:15

Updated : 2023-12-27 16:36

NVD link : CVE-2023-34969

Mitre link : CVE-2023-34969

CVE.ORG link : CVE-2023-34969

JSON object : View

Products Affected

freedesktop

dbus

debian

debian_linux

fedoraproject

fedora

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-34969", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-06-08T03:15:08.970", "references": [{"url": "https://gitlab.freedesktop.org/dbus/dbus/-/issues/457", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00033.html", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZYCDRMD7B4XO4HF6C6YTLH4YUD7TANP/", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20231208-0007/", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus-daemon. If a privileged user with control over the dbus-daemon is using the org.freedesktop.DBus.Monitoring interface to monitor message bus traffic, then an unprivileged user with the ability to connect to the same dbus-daemon can cause a dbus-daemon crash under some circumstances via an unreplyable message. When done on the well-known system bus, this is a denial-of-service vulnerability. The fixed versions are 1.12.28, 1.14.8, and 1.15.6."}, {"lang": "es", "value": "D-Bus en versiones anteriores a v1.15.6 a veces permite a usuarios sin privilegios bloquear el \"dbus-daemon\". Si un usuario privilegiado con control sobre \"dbus-daemon\" est\u00e1 usando la interfaz \"org.freedesktop.DBus.Monitoring\" para monitorizar el tr\u00e1fico del bus de mensajes, entonces un usuario sin privilegios con la capacidad de conectarse al mismo \"dbus-daemon\" puede causar un fallo del \"dbus-daemon\" bajo algunas circunstancias a trav\u00e9s de un mensaje sin respuesta. Cuando se hace en el bus del sistema conocido, se trata de una vulnerabilidad de denegaci\u00f3n de servicio. Las versiones que corrigen esta vulnerabilidad son v1.12.28, v1.14.8 y v1.15.6. "}], "lastModified": "2023-12-27T16:36:58.353", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B0C27DA9-8223-4925-B3B8-4F36EB1FDD1F", "versionEndExcluding": "1.12.28", "versionStartIncluding": "1.12.0"}, {"criteria": "cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B50ED37A-5986-4AB3-8D32-108D0BA2B9B8", "versionEndExcluding": "1.14.8", "versionStartIncluding": "1.14.0"}, {"criteria": "cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF88A5BF-3A26-4E9F-B19B-DB32F3185527", "versionEndExcluding": "1.15.6", "versionStartIncluding": "1.15.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}

6.5 /10