CVE-2025-23222 (GCVE-0-2025-23222)

Vulnerability from cvelistv5 – Published: 2025-01-24 00:00 – Updated: 2025-02-12 20:41
VLAI?
Summary
An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don't know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn't be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.
Severity ?
8.4 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-940 - Improper Verification of Source of a Communication Channel
Assigner
References
Impacted products
Vendor Product Version
Deepin dde-api-proxy Affected: 0 , ≤ 1.0.19 (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-23222",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-24T17:40:55.747192Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:30.901Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "dde-api-proxy",
          "vendor": "Deepin",
          "versions": [
            {
              "lessThanOrEqual": "1.0.19",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don\u0027t know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn\u0027t be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-940",
              "description": "CWE-940 Improper Verification of Source of a Communication Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-24T17:04:19.974Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://bugzilla.suse.com/show_bug.cgi?id=1229918"
        },
        {
          "url": "https://www.openwall.com/lists/oss-security/2025/01/24/3"
        },
        {
          "url": "https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-23222",
    "datePublished": "2025-01-24T00:00:00.000Z",
    "dateReserved": "2025-01-13T00:00:00.000Z",
    "dateUpdated": "2025-02-12T20:41:30.901Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-23222\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2025-01-24T17:15:15.730\",\"lastModified\":\"2025-01-24T17:15:15.730\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don\u0027t know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn\u0027t be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.\"},{\"lang\":\"es\",\"value\":\"Se descubri\u00f3 un problema en Deepin dde-api-proxy hasta la versi\u00f3n 1.0.19 en el que los usuarios sin privilegios pueden acceder a los servicios de D-Bus como root. Espec\u00edficamente, dde-api-proxy se ejecuta como superusuario y reenv\u00eda mensajes de usuarios locales arbitrarios a m\u00e9todos D-Bus heredados en los servicios D-Bus reales, y los servicios D-Bus reales no conocen la situaci\u00f3n del proxy (creen que superusuario les est\u00e1 pidiendo que hagan cosas). En consecuencia, varios m\u00e9todos proxy, que no deber\u00edan ser accesibles para usuarios que no sean root, son accesibles para usuarios que no son superusuarios. En situaciones en las que Polkit est\u00e1 involucrado, el llamador ser\u00eda tratado como administrador, lo que resultar\u00eda en una escalada similar de privilegios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.5,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve@mitre.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-940\"}]}],\"references\":[{\"url\":\"https://bugzilla.suse.com/show_bug.cgi?id=1229918\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://www.openwall.com/lists/oss-security/2025/01/24/3\",\"source\":\"cve@mitre.org\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.