{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-4964", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "state": "PUBLISHED", "assignerShortName": "canonical", "dateReserved": "2024-01-23T23:08:14.851Z", "datePublished": "2024-01-24T00:58:14.236Z", "dateUpdated": "2025-06-20T19:20:11.172Z"}, "containers": {"cna": {"affected": [{"packageName": "pipwire-pulse", "product": "Ubuntu pipewire-pulse", "vendor": "Canonical Ltd.", "platforms": ["Linux"], "versions": [{"status": "affected", "version": "0"}]}], "descriptions": [{"lang": "en", "value": "Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set."}], "references": [{"tags": ["issue-tracking"], "url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/"}, {"tags": ["issue-tracking"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964"}, {"tags": ["issue-tracking"], "url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779"}, {"tags": ["issue-tracking"], "url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567"}], "credits": [{"lang": "en", "type": "finder", "value": "James Henstridge"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-01-24T00:58:14.236Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:55:46.085Z"}, "title": "CVE Program Container", "references": [{"tags": ["issue-tracking", "x_transferred"], "url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779"}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567"}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-276", "lang": "en", "description": "CWE-276 Incorrect Default Permissions"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-01-24T16:53:38.663439Z", "id": "CVE-2022-4964", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T19:20:11.172Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567", "tags": ["issue-tracking", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:55:46.085Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-4964", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-01-24T16:53:38.663439Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T19:20:07.130Z"}}], "cna": {"credits": [{"lang": "en", "type": "finder", "value": "James Henstridge"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Canonical Ltd.", "product": "Ubuntu pipewire-pulse", "versions": [{"status": "affected", "version": "0"}], "platforms": ["Linux"], "packageName": "pipwire-pulse"}], "references": [{"url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/", "tags": ["issue-tracking"]}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964", "tags": ["issue-tracking"]}, {"url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779", "tags": ["issue-tracking"]}, {"url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567", "tags": ["issue-tracking"]}], "descriptions": [{"lang": "en", "value": "Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set."}], "providerMetadata": {"orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "shortName": "canonical", "dateUpdated": "2024-01-24T00:58:14.236Z"}}}, "cveMetadata": {"cveId": "CVE-2022-4964", "state": "PUBLISHED", "dateUpdated": "2025-06-20T19:20:11.172Z", "dateReserved": "2024-01-23T23:08:14.851Z", "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc", "datePublished": "2024-01-24T00:58:14.236Z", "assignerShortName": "canonical"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:canonical:ubuntu_pipewire-pulse:-:*:*:*:*:*:*:*", "matchCriteriaId": "C3BB6606-35AC-43FF-8CB1-9BEFC47731E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set."}, {"lang": "es", "value": "Pipewire-pulse en snap de Ubuntu otorga acceso al micr\u00f3fono incluso cuando la interfaz snap para grabaci\u00f3n de audio no est\u00e1 configurada."}], "id": "CVE-2022-4964", "lastModified": "2025-06-20T20:15:23.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security@ubuntu.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-24T01:15:07.977", "references": [{"source": "security@ubuntu.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/"}, {"source": "security@ubuntu.com", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779"}, {"source": "security@ubuntu.com", "tags": ["Issue Tracking", "Patch"], "url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567"}], "sourceIdentifier": "security@ubuntu.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "pipewire: grants microphone access even when the snap interface for audio-record", "id": "2260027", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2260027"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set.", "A flaw was discovered in pipewire-pulse, where Snap allows microphone access even in the absence of a configured snap interface for audio recording."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2022-4964", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "firefox:flatpak/pipewire", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pipewire", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "pipewire0.2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "thunderbird:flatpak/pipewire", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "pipewire", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-01-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-4964\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-4964\nhttps://bugs.launchpad.net/ubuntu/+source/pipewire/+bug/1995707/\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4964\nhttps://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779\nhttps://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567"], "statement": "This issue does not impact any Red Hat products since snapd is neither supported nor shipped in Red Hat Enterprise Linux (RHEL).", "threat_severity": "Moderate"}

{}