CVE-2025-23222 in api-proxyinfo

Summary

by MITRE • 01/24/2025

An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services, and the actual D-Bus services don't know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn't be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Reservation

01/13/2025

Disclosure

01/24/2025

Moderation

accepted

Entry

VDB-293268

CPE

ready

CWE

CWE-287 (confirmed)

CVSS

5.3 (VulDB)

EPSS

0.00078

KEV

Activities

very low

Sector

Agriculture, Government, ...

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2025-23222
NVD	https://nvd.nist.gov/vuln/detail/CVE-2025-23222
CVE Details	https://www.cvedetails.com/cve/CVE-2025-23222/

◂ Previous Overview Next ▸

Might our Artificial Intelligence support you?

Check our Alexa App!