CVE-2019-6133 | Date: (C)2019-01-12 (M)2024-05-24 |
In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.
CVSS Score and Metrics +CVSS Score and Metrics -CVSS V3 Severity: | CVSS V2 Severity: |
CVSS Score : 6.7 | CVSS Score : 4.4 |
Exploit Score: 0.8 | Exploit Score: 3.4 |
Impact Score: 5.9 | Impact Score: 6.4 |
|
CVSS V3 Metrics: | CVSS V2 Metrics: |
Attack Vector: LOCAL | Access Vector: LOCAL |
Attack Complexity: HIGH | Access Complexity: MEDIUM |
Privileges Required: LOW | Authentication: NONE |
User Interaction: REQUIRED | Confidentiality: PARTIAL |
Scope: UNCHANGED | Integrity: PARTIAL |
Confidentiality: HIGH | Availability: PARTIAL |
Integrity: HIGH | |
Availability: HIGH | |
| |