CVE-2019-6133

Опубликовано: 11 янв. 2019

Источник: nvd

CVSS3: 6.7

CVSS2: 4.4

EPSS Низкий

Описание

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00049.html
http://www.securityfocus.com/bid/106537
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2019:0230
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0420
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0832
Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2699
https://access.redhat.com/errata/RHSA-2019:2978
https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
Issue Tracking
Mailing List
Third Party Advisory
https://git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf
Patch
Third Party Advisory
https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81
Patch
Third Party Advisory
https://gitlab.freedesktop.org/polkit/polkit/merge_requests/19
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html
Mailing List
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html
https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html
https://support.f5.com/csp/article/K22715344
Third Party Advisory
https://usn.ubuntu.com/3901-1/
Third Party Advisory
https://usn.ubuntu.com/3901-2/
Third Party Advisory
https://usn.ubuntu.com/3903-1/
Third Party Advisory
https://usn.ubuntu.com/3903-2/
Third Party Advisory
https://usn.ubuntu.com/3908-1/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:polkit_project:polkit:0.115:*:*:*:*:*:*:*

Конфигурация 2

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

EPSS

Процентиль: 5%

0.00023

Низкий

6.7 Medium

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-362

Связанные уязвимости

CVE-2019-6133

CVSS3: 6.7

ubuntu

больше 6 лет назад

CVE-2019-6133

CVSS3: 7.3

redhat

больше 6 лет назад

CVE-2019-6133

CVSS3: 6.7

debian

больше 6 лет назад

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism ...

openSUSE-SU-2019:1914-1

suse-cvrf

почти 6 лет назад

Security update for polkit

SUSE-SU-2019:2035-1

suse-cvrf

почти 6 лет назад

Security update for polkit

EPSS

Процентиль: 5%

0.00023

Низкий

6.7 Medium

CVSS3

4.4 Medium

CVSS2

Дефекты

CWE-362