Search for vulnerabilities
Vulnerability details: VCID-3jg4-8sst-aaak
Vulnerability ID VCID-3jg4-8sst-aaak
Aliases CVE-2019-12749
Summary dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-287 Improper Authentication
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12749.html
rhas Moderate https://access.redhat.com/errata/RHSA-2020:4032
cvssv3 7.0 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12749.json
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00037 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00080 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
epss 0.00093 https://api.first.org/data/v1/epss?cve=CVE-2019-12749
rhbs high https://bugzilla.redhat.com/show_bug.cgi?id=1719344
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749
cvssv3 7.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 3.6 https://nvd.nist.gov/vuln/detail/CVE-2019-12749
cvssv3 7.1 https://nvd.nist.gov/vuln/detail/CVE-2019-12749
archlinux High https://security.archlinux.org/AVG-974
generic_textual Medium https://ubuntu.com/security/notices/USN-4015-1
generic_textual Medium https://ubuntu.com/security/notices/USN-4015-2
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00059.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00092.html
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00026.html
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12749.html
https://access.redhat.com/errata/RHSA-2019:1726
https://access.redhat.com/errata/RHSA-2019:2868
https://access.redhat.com/errata/RHSA-2019:2870
https://access.redhat.com/errata/RHSA-2019:3707
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12749.json
https://api.first.org/data/v1/epss?cve=CVE-2019-12749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12749
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/
https://seclists.org/bugtraq/2019/Jun/16
https://security.gentoo.org/glsa/201909-08
https://security.netapp.com/advisory/ntap-20241206-0010/
https://ubuntu.com/security/notices/USN-4015-1
https://ubuntu.com/security/notices/USN-4015-2
https://usn.ubuntu.com/4015-1/
https://usn.ubuntu.com/4015-2/
https://www.debian.org/security/2019/dsa-4462
https://www.openwall.com/lists/oss-security/2019/06/11/2
http://www.openwall.com/lists/oss-security/2019/06/11/2
http://www.securityfocus.com/bid/108751
1719344 https://bugzilla.redhat.com/show_bug.cgi?id=1719344
930375 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930375
ASA-201906-16 https://security.archlinux.org/ASA-201906-16
AVG-974 https://security.archlinux.org/AVG-974
cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:freedesktop:dbus:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
CVE-2019-12749 https://nvd.nist.gov/vuln/detail/CVE-2019-12749
RHSA-2020:4032 https://access.redhat.com/errata/RHSA-2020:4032
RHSA-2021:0949 https://access.redhat.com/errata/RHSA-2021:0949
No exploits are available.
Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12749.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-12749
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-12749
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.07767
EPSS Score 0.00037
Published At March 28, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
There are no relevant records.