CVE-2012-4425

Published Sep 18, 2012

Last updated a year ago

Overview

Description: libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.
Source: secalert@redhat.com
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 6.9
Impact score: 10
Exploitability score: 3.4
Vector string: AV:L/AC:M/Au:N/C:C/I:C/A:C

Weaknesses

nvd@nist.gov: CWE-264

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:freedesktop:spice-gtk:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "64B1EDE6-8B70-4E56-B66A-4518B8D51D54"
          },
          {
            "criteria": "cpe:2.3:a:gtk:libgio:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0A139AC4-9103-4396-97C3-5F727B1DD040"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 2.0

Weaknesses

Configurations

References