CVE-2019-3827

Published Mar 25, 2019

Last updated 4 years ago

Overview

Description: An incorrect permission check in the admin backend in gvfs before version 1.39.4 was found that allows reading and modify arbitrary files by privileged users without asking for password when no authentication agent is running. This vulnerability can be exploited by malicious programs running under privileges of users belonging to the wheel group to further escalate its privileges by modifying system files without user's knowledge. Successful exploitation requires uncommon system configuration.
Source: secalert@redhat.com
NVD status: Analyzed

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 7
Impact score: 5.9
Exploitability score: 1
Vector string: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 3.0

Type: Secondary
Base score: 7
Impact score: 5.9
Exploitability score: 1
Vector string: CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 3.3
Impact score: 4.9
Exploitability score: 3.4
Vector string: AV:L/AC:M/Au:N/C:P/I:P/A:N

Weaknesses

nvd@nist.gov: CWE-863
secalert@redhat.com: CWE-863

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:gnome:gvfs:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4CCCD769-3EC0-4707-893E-EF7438D4DBEE",
            "versionEndExcluding": "1.39.4"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

CVSS 3.0

CVSS 2.0

Weaknesses

Configurations

References