CVE-2019-12795

HIGH

gvfs < 1.38.3, 1.40.x < 1.40.2, 1.41.x < 1.41.3 - Unauthenticated D-Bus Method Call Execution via Private Server Socket

Title source: llm
STIX 2.1

Description

daemon/gvfsdaemon.c in gvfsd from GNOME gvfs before 1.38.3, 1.40.x before 1.40.2, and 1.41.x before 1.41.3 opened a private D-Bus server socket without configuring an authorization rule. A local attacker could connect to this server socket and issue D-Bus method calls. (Note that the server socket only accepts a single connection, so the attacker would have to discover the server and connect to the socket before its owner does.)

References (11)

Core 11
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/108741
Mailing List mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/06/msg00014.html
Vendor Advisory vendor-advisory x_refsource_ubuntu
https://usn.ubuntu.com/4053-1/
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3553

Scores

CVSS v3 7.8
EPSS 0.0006
EPSS Percentile 18.7%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-276
Status published
Products (1)
gnome/gvfs < 1.38.3
Published Jun 11, 2019
Tracked Since Feb 18, 2026