Improper Access Control

Affecting systemd package, versions <241-7~deb10u2

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

In systemd 240, bus_open_system_watch_bind_with_description in shared/bus-util.c (as used by systemd-resolved to connect to the system D-Bus instance), calls sd_bus_set_trusted, which disables access controls for incoming D-Bus messages. An unprivileged user can exploit this by executing D-Bus methods that should be restricted to privileged users, in order to change the system's DNS resolver settings.

References

CVSS Score

5.5
medium severity
  • Attack Vector
    Local
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    None
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE
CVE-2019-15718
Snyk ID
SNYK-DEBIAN10-SYSTEMD-460739
Disclosed
04 Sep, 2019
Published
03 Sep, 2019