Vulnerabilities > CVE-2014-1420 - Deserialization of Untrusted Data vulnerability in Canonical Ubuntu-Ui-Toolkit

CVSS 2.1 - LOW

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

local

low complexity

canonical

CWE-502

NVD

Published: 2020-09-11

Updated: 2020-09-16

Summary

On desktop, Ubuntu UI Toolkit's StateSaver would serialise data on tmp/ files which an attacker could use to expose potentially sensitive data. StateSaver would also open files without the O_EXCL flag. An attacker could exploit this to launch a symlink attack, though this is partially mitigated by symlink and hardlink restrictions in Ubuntu. Fixed in 1.1.1188+14.10.20140813.4-0ubuntu1.

Vulnerable Configurations

Part	Description	Count
Application	Canonical Canonical Ubuntu UI Toolkit *	1

Common Weakness Enumeration (CWE)

CWE-502 - Deserialization of Untrusted Data

References

http://bazaar.launchpad.net/~ubuntu-sdk-team/ubuntu-ui-toolkit/staging/revision/1182
https://launchpad.net/bugs/1348241