Skip to main content

Spice Gtk CVE-2012-4425

MEDIUM
Permissions, Privileges, and Access Controls (CWE-264)
2012-09-18 secalert@redhat.com
6.9
CVSS 2.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
AV:L/AC:M/Au:N/C:C/I:C/A:C

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

AV:L/AC:M/Au:N/C:C/I:C/A:C
Attack Vector
Local
Attack Complexity
M
Confidentiality
C
Integrity
C
Availability
C

Lifecycle Timeline

1
CVE Published
Sep 18, 2012 - 17:55 cve.org
MEDIUM 6.9

DescriptionCVE.org

libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself.

AnalysisAI

libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS. Rated medium severity (CVSS 6.9). Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-264. libgio, when used in setuid or other privileged programs in spice-gtk and possibly other products, allows local users to gain privileges and execute arbitrary code via the DBUS_SYSTEM_BUS_ADDRESS environment variable. NOTE: it could be argued that this is a vulnerability in the applications that do not cleanse environment variables, not in libgio itself. Affected products include: Freedesktop Spice-Gtk, Gtk Libgio.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Share

CVE-2012-4425 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy