7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%
Local Root Exploit via Configuration Dictionary in dnf5daemon-serverΒ before 5.1.17 allows a malicious user to impact Confidentiality and Integrity via Configuration Dictionary.
There are issues with the D-Bus interface long before Polkit is invoked. The org.rpm.dnf.v0.SessionManager.open_session
method takes a key/value map of configuration entries. A sub-entry in this map, placed under the βconfigβ key, is another key/value map. The configuration values found in it will be forwarded as configuration overrides to the libdnf5::Base
configuration.
Practically all libdnf5 configuration aspects can be influenced here. Already when opening the session via D-Bus, the libdnf5 will be initialized using these override configuration values. There is no sanity checking of the content of this βconfigβ map, which is untrusted data.Β It is possible to make the library loading a plug-in shared library under control of an unprivileged user, hence achieving root access.
[
{
"vendor": "Fedora",
"product": "dnf5daemon-server",
"platforms": [
"Linux"
],
"packageName": "dnf5daemon-server",
"versions": [
{
"status": "affected",
"version": "5.1.16<="
}
],
"defaultStatus": "unaffected"
}
]
7.5 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
8.2 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
9.2%