CVE-2023-3297

Description

In Ubuntu's accountsservice an unprivileged local attacker can trigger a use-after-free vulnerability in accountsservice by sending a D-Bus message to the accounts-daemon process.

CVSS breakdown

CVSS 3.1

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected products

Canonical Ltd. / AccountService23.13.9-2ubuntu2 – 23.13.9-2ubuntu2

References

VENDOR_ADVISORYhttps://ubuntu.com/security/notices/USN-6190-1
VENDOR_ADVISORYhttps://securitylab.github.com/advisories/GHSL-2023-139_accountsservice/
MISChttps://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/2024182
CONFIRMhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3297