Description
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6O2R6EXURJQFPFPYFWRCZLUYVWQCLSZM/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5226RYNMNB7FL4MSJDIBBGPUWH6LMRYV/
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2023/04/msg00012.html
Patch, Third Party Advisory
https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d
Third Party Advisory
https://github.com/acassen/keepalived/pull/2063
Scores
CVSS v3
5.4
EPSS
0.0018
EPSS Percentile
39.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
Status
published
Products (3)
fedoraproject/fedora
34
fedoraproject/fedora
35
keepalived/keepalived
< 2.2.4
Published
Nov 26, 2021
Tracked Since
Feb 18, 2026