Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-4115
HistoryFeb 14, 2022 - 12:00 a.m.

CVE-2021-4115

2022-02-1400:00:00
ubuntu.com
ubuntu.com
32
polkit
flaw
unprivileged
crash
file descriptor
exhaustion
availability

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.4%

There is a flaw in polkit which can allow an unprivileged user to cause
polkit to crash, due to process file descriptor exhaustion. The highest
threat from this vulnerability is to availability. NOTE: Polkit process
outage duration is tied to the failing process being reaped and a new one
being spawned

Notes

Author Note
mdeslaur Introduced by backported patch in focal+: PolkitSystemBusName-Retrieve-both-pid-and-uid.patch
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchpolicykit-1< 0.105-26ubuntu1.3UNKNOWN
ubuntu21.10noarchpolicykit-1< 0.105-31ubuntu0.2UNKNOWN

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

43.4%