Do your applications use this vulnerable package?
Test your applications
Overview
Affected versions of this package are vulnerable to Use After Free. A use-after-free flaw was found in D-Bus Development branch <= 1.13.16, dbus-1.12.x stable branch <= 1.12.18, and dbus-1.10.x and older branches <= 1.10.30 when a system has multiple usernames sharing the same UID. When a set of policy rules references these usernames, D-Bus may free some memory in the heap, which is still used by data structures necessary for the other usernames sharing the UID, possibly leading to a crash or other undefined behaviors
Remediation
Upgrade dbus to version or higher.
References
CVSS Score
7.8
high severity
-
Attack VectorLocal
-
Attack ComplexityLow
-
Privileges RequiredLow
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityHigh
-
IntegrityHigh
-
AvailabilityHigh
- CVE
- CVE-2020-35512
- CWE
- CWE-416
- Snyk ID
- SNYK-DEBIAN9-DBUS-1056465
- Disclosed
- 15 Feb, 2021
- Published
- 07 Jan, 2021