4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
33.0%
In PolicyKit (aka polkit) 0.115, the “start time” protection mechanism can
be bypassed because fork() is not atomic, and therefore authorization
decisions are improperly cached. This is related to lack of uid checking in
polkitbackend/polkitbackendinteractiveauthority.c.
Author | Note |
---|---|
mdeslaur | This issue is better fixed in the kernel, adding kernel packages to this CVE. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < 4.15.0-46.49 | UNKNOWN |
ubuntu | 18.10 | noarch | linux | < 4.18.0-16.17 | UNKNOWN |
ubuntu | 14.04 | noarch | linux | < 3.13.0-166.216 | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < 4.4.0-143.169 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < 4.15.0-1033.35 | UNKNOWN |
ubuntu | 18.10 | noarch | linux-aws | < 4.18.0-1011.13 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-aws | < 4.4.0-1039.42 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws | < 4.4.0-1077.87 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws-hwe | < 4.15.0-1033.35~16.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure | < 4.18.0-1013.13~18.04.1 | UNKNOWN |
git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf
gitlab.freedesktop.org/polkit/polkit/merge_requests/19
launchpad.net/bugs/cve/CVE-2019-6133
nvd.nist.gov/vuln/detail/CVE-2019-6133
security-tracker.debian.org/tracker/CVE-2019-6133
ubuntu.com/security/notices/USN-3901-1
ubuntu.com/security/notices/USN-3901-2
ubuntu.com/security/notices/USN-3903-1
ubuntu.com/security/notices/USN-3903-2
ubuntu.com/security/notices/USN-3908-1
ubuntu.com/security/notices/USN-3908-2
ubuntu.com/security/notices/USN-3910-1
ubuntu.com/security/notices/USN-3910-2
ubuntu.com/security/notices/USN-3934-1
ubuntu.com/security/notices/USN-3934-2
www.cve.org/CVERecord?id=CVE-2019-6133
4.4 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
33.0%