Lucene search

[email protected]NVD:CVE-2019-6133

HistoryJan 11, 2019 - 2:29 p.m.

CVE-2019-6133

2019-01-1114:29:00

CWE-362

[email protected]

web.nvd.nist.gov

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON

In PolicyKit (aka polkit) 0.115, the “start time” protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.

Affected configurations

NVD

Node

polkit_projectpolkitMatch0.115

Node

debiandebian_linuxMatch8.0

Node

redhatenterprise_linux_desktopMatch7.0

redhatenterprise_linux_serverMatch7.0

redhatenterprise_linux_server_ausMatch7.6

redhatenterprise_linux_server_eusMatch7.6

redhatenterprise_linux_server_tusMatch7.6

redhatenterprise_linux_workstationMatch7.0

Node

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_server_ausMatch6.6

redhatenterprise_linux_workstationMatch6.0

Node

canonicalubuntu_linuxMatch12.04esm

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch16.04lts

canonicalubuntu_linuxMatch18.04lts

canonicalubuntu_linuxMatch18.10

References

lists.opensuse.org/opensuse-security-announce/2019-08/msg00049.html

www.securityfocus.com/bid/106537

access.redhat.com/errata/RHSA-2019:0230

access.redhat.com/errata/RHSA-2019:0420

access.redhat.com/errata/RHSA-2019:0832

access.redhat.com/errata/RHSA-2019:2699

access.redhat.com/errata/RHSA-2019:2978

bugs.chromium.org/p/project-zero/issues/detail?id=1692

git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf

gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81

gitlab.freedesktop.org/polkit/polkit/merge_requests/19

lists.debian.org/debian-lts-announce/2019/01/msg00021.html

lists.debian.org/debian-lts-announce/2019/05/msg00041.html

lists.debian.org/debian-lts-announce/2019/05/msg00042.html

support.f5.com/csp/article/K22715344

usn.ubuntu.com/3901-1/

usn.ubuntu.com/3901-2/

usn.ubuntu.com/3903-1/

usn.ubuntu.com/3903-2/

usn.ubuntu.com/3908-1/

usn.ubuntu.com/3908-2/

usn.ubuntu.com/3910-1/

usn.ubuntu.com/3910-2/

usn.ubuntu.com/3934-1/

usn.ubuntu.com/3934-2/

4.4 Medium

CVSS2

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

6.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

6.7 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.0%

JSON

Related for NVD:CVE-2019-6133

oraclelinux5 f51 suse1 nessus46 centos2 redhat5 openvas27 prion1 ibm1 amazon1 osv3 cvelist1 veracode1 alpinelinux1 ubuntu10 ubuntucve1 debiancve1 cve1 redhatcve1 debian3 cloudfoundry2 photon6