Vulnerability Description
In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. This is because the cache was not ordered by creation time by the Select struct in src/core/trust/impl/sqlite3/store.cpp. Fixed in trust-store (Ubuntu) version 1.1.0+15.04.20150123-0ubuntu1 and trust-store (Ubuntu RTM) version 1.1.0+15.04.20150123~rtm-0ubuntu1.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Canonical | Trust-Store \(Ubuntu\) | < 1.1.0 |
| Canonical | Trust-Store \(Ubuntu Rtm\) | < 1.1.0 |
Related Weaknesses (CWE)
References
- https://bazaar.launchpad.net/~phablet-team/trust-store/trunk/revision/82PatchThird Party Advisory
- https://launchpad.net/bugs/1387734ExploitPatchThird Party Advisory
- https://bazaar.launchpad.net/~phablet-team/trust-store/trunk/revision/82PatchThird Party Advisory
- https://launchpad.net/bugs/1387734ExploitPatchThird Party Advisory
FAQ
What is CVE-2014-1422?
CVE-2014-1422 is a vulnerability with a CVSS score of 5.0 (MEDIUM). In Ubuntu's trust-store, if a user revokes location access from an application, the location is still available to the application because the application will honour incorrect, cached permissions. Th...
How severe is CVE-2014-1422?
CVE-2014-1422 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1422?
Check the references section above for vendor advisories and patch information. Affected products include: Canonical Trust-Store \(Ubuntu\), Canonical Trust-Store \(Ubuntu Rtm\).