Vulnerability Details : CVE-2020-27187
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges.
Exploit prediction scoring system (EPSS) score for CVE-2020-27187
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-27187
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
nvd@nist.gov |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
nvd@nist.gov |
References for CVE-2020-27187
-
https://security.gentoo.org/glsa/202011-03
KPMCore: Root privilege escalation (GLSA 202011-03) — Gentoo securityThird Party Advisory
-
https://github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0
Comparing v4.1.0...v4.2.0 · KDE/partitionmanager · GitHubRelease Notes;Third Party Advisory
-
https://kde.org/info/security/advisory-20201017-1.txt
Patch;Vendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1890199
1890199 – (CVE-2020-27187) CVE-2020-27187 kpmcore: kpmcore_externalcommand helper can be exploited in local privilege escalationIssue Tracking;Vendor Advisory
Products affected by CVE-2020-27187
- cpe:2.3:a:kde:partition_manager:*:*:*:*:*:*:*:*