-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe analysis is based on the provided vulnerability description and the commit 196d0cbea42f72e6dfecaa563681a99e9fdb4a38. The vulnerability description states that Yggdrasil's D-Bus method for dispatching messages to workers lacks authentication and authorization. The commit message explicitly names the 'D-Bus method Dispatch()' on the 'com.redhat.Yggdrasil1' destination as the problematic component. The patch itself modifies the D-Bus configuration file data/dbus/yggd.conf.in to restrict access to the com.redhat.Yggdrasil1 D-Bus destination to the 'root' user. Previously, this destination was open to all users due to the <policy context="default"> setting, as shown in the diff. This configuration allowed the vulnerable Dispatch() method (whose Go implementation is not in this specific patch but is part of Yggdrasil) to be called by any local user. Therefore, com.redhat.Yggdrasil1.Dispatch() is identified as the vulnerable function (D-Bus method). The file_path refers to the D-Bus configuration file where its insecure exposure was defined and subsequently fixed. A runtime profiler or D-Bus monitor would likely show calls to this D-Bus method during exploitation.
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/redhatinsights/yggdrasil | go | <= 0.4.6 |
Ongoing coverage of React2Shell