Описание
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2022-23220
- https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b
- https://security.gentoo.org/glsa/202310-15
- https://www.debian.org/security/2022/dsa-5052
- https://www.openwall.com/lists/oss-security/2022/01/21/1
- http://www.openwall.com/lists/oss-security/2022/01/22/1
Связанные уязвимости
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in v ...