CVE-2021-44225

In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property

Published: Nov 26, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-44225
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CVSS v2:

Severity: Medium
Score: 5.5
AV:N/AC:L/Au:S/C:P/I:P/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
keepalived / keepalived	-	2.2.4.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x

https://github.com/acassen/keepalived/commit/7977fec0be89ae6fe87405b3f8da2f0b5e415e3d
https://github.com/acassen/keepalived/pull/2063
https://lists.debian.org/debian-lts-announce/2023/04/msg00012.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/5226RYNMNB7FL4MSJDIBBGPUWH6LMRYV/
https://lists.fedoraproject.org/archives/list/[email protected]/message/6O2R6EXURJQFPFPYFWRCZLUYVWQCLSZM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5226RYNMNB7FL4MSJDIBBGPUWH6LMRYV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6O2R6EXURJQFPFPYFWRCZLUYVWQCLSZM/

Vulnerability Database

290,206

CVE-2021-44225