#VU67970 Out-of-bounds read in dbus - CVE-2022-42011
Vulnerability identifier: #VU67970
Vulnerability risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
dbus
Universal components / Libraries /
Libraries used by multiple products
Vendor: Freedesktop.org
Description
The vulnerability allows a local user to gain access to potentially sensitive information or perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error caused by an invalid array of fixed-length elements where the length of the array is not a multiple of the length of the element. A local user can trigger an out-of-bounds read and gain access to sensitive information.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
dbus: 1.3.0 - 1.3.1, 1.4.0 - 1.4.26, 1.5.0 - 1.5.12, 1.6.0 - 1.6.30, 1.7.0 - 1.7.10, 1.8.0 - 1.8.22, 1.9.0 - 1.9.20, 1.10.0 - 1.10.32, 1.11.0 - 1.11.22, 1.12.0 - 1.12.24, 1.13.0 - 1.13.22, 1.14.0 - 1.14.4, 1.15.0 - 1.15.2
External links
https://seclists.org/oss-sec/2022/q4/7
https://gitlab.freedesktop.org/dbus/dbus/-/commit/079bbf16186e87fb0157adf8951f19864bc2ed69
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
