Unrated severityNVD Advisory· Published Jun 11, 2019· Updated Feb 13, 2026

CVE-2019-12749

Description

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

dbus/dbusdescription
Xorg/Dbusllm-fuzzy
Range: <1.10.28, >=1.12.0 <1.12.16, >=1.13.0 <1.13.12
osv-coords45 versions
pkg:rpm/opensuse/dbus-1&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/dbus-1&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/dbus-1&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/dbus-1-x11&distro=openSUSE%20Leap%2015.0 pkg:rpm/opensuse/dbus-1-x11&distro=openSUSE%20Leap%2015.1 pkg:rpm/suse/dbus-1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/dbus-1&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/dbus-1&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/dbus-1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/dbus-1&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/dbus-1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/dbus-1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/dbus-1-x11&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Enterprise%20Storage%204 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Enterprise%20Storage%205 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP1 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSS pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSS pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSS pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/dbus-1-x11&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 1.12.2-lp150.2.3.1+ 44 more
- (no CPE)range: < 1.12.2-lp150.2.3.1
- (no CPE)range: < 1.12.2-lp151.4.3.1
- (no CPE)range: < 1.12.20-5.5
- (no CPE)range: < 1.12.2-lp150.2.3.1
- (no CPE)range: < 1.12.2-lp151.4.3.1
- (no CPE)range: < 1.8.22-29.17.7
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.7
- (no CPE)range: < 1.12.2-3.5.1
- (no CPE)range: < 1.12.2-8.3.1
- (no CPE)range: < 1.2.10-3.34.8.1
- (no CPE)range: < 1.2.10-3.34.8.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.7
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.7
- (no CPE)range: < 1.8.22-29.17.7
- (no CPE)range: < 1.8.22-29.17.12
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.12
- (no CPE)range: < 1.12.2-3.5.1
- (no CPE)range: < 1.12.2-8.3.1
- (no CPE)range: < 1.2.10-3.34.8.1
- (no CPE)range: < 1.2.10-3.34.8.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.12
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-11.3.1
- (no CPE)range: < 1.8.22-24.19.1
- (no CPE)range: < 1.8.22-29.17.12
- (no CPE)range: < 1.8.22-29.17.12

Patches

Vulnerability mechanics

References

lists.opensuse.org/opensuse-security-announce/2019-06/msg00059.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-06/msg00092.htmlmitrevendor-advisoryx_refsource_SUSE
lists.opensuse.org/opensuse-security-announce/2019-07/msg00026.htmlmitrevendor-advisoryx_refsource_SUSE
access.redhat.com/errata/RHSA-2019:1726mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2019:2868mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2019:2870mitrevendor-advisoryx_refsource_REDHAT
access.redhat.com/errata/RHSA-2019:3707mitrevendor-advisoryx_refsource_REDHAT
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU/mitrevendor-advisoryx_refsource_FEDORA
security.gentoo.org/glsa/201909-08mitrevendor-advisoryx_refsource_GENTOO
usn.ubuntu.com/4015-1/mitrevendor-advisoryx_refsource_UBUNTU
usn.ubuntu.com/4015-2/mitrevendor-advisoryx_refsource_UBUNTU
www.debian.org/security/2019/dsa-4462mitrevendor-advisoryx_refsource_DEBIAN
www.openwall.com/lists/oss-security/2019/06/11/2mitremailing-listx_refsource_MLIST
www.securityfocus.com/bid/108751mitrevdb-entryx_refsource_BID
lists.debian.org/debian-lts-announce/2019/06/msg00005.htmlmitremailing-listx_refsource_MLIST
seclists.org/bugtraq/2019/Jun/16mitremailing-listx_refsource_BUGTRAQ
www.openwall.com/lists/oss-security/2019/06/11/2mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000