CVE-2019-3827
HIGHgvfs < 1.39.4 - Incorrect Authorization in Admin Backend
Title source: llmDescription
An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration.
References (4)
Core 4
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3827
Patch, Vendor Advisory x_refsource_confirm
https://gitlab.gnome.org/GNOME/gvfs/merge_requests/31
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1517
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2145
Scores
CVSS v3
7.0
EPSS
0.0006
EPSS Percentile
18.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (1)
gnome/gvfs
< 1.39.4
Published
Mar 25, 2019
Tracked Since
Feb 18, 2026