Vulnerability Details : CVE-2019-6133
In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.
Exploit prediction scoring system (EPSS) score for CVE-2019-6133
Probability of exploitation activity in the next 30 days: 0.05%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 14 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2019-6133
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
[email protected] |
|
6.7
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
0.8
|
5.9
|
[email protected] |
CWE ids for CVE-2019-6133
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: [email protected] (Primary)
References for CVE-2019-6133
-
https://usn.ubuntu.com/3901-2/
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0420
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0230
Third Party Advisory
-
https://bugs.chromium.org/p/project-zero/issues/detail?id=1692
Issue Tracking;Mailing List;Third Party Advisory
-
https://usn.ubuntu.com/3901-1/
Third Party Advisory
-
https://usn.ubuntu.com/3934-1/
Third Party Advisory
-
https://gitlab.freedesktop.org/polkit/polkit/merge_requests/19
Patch;Third Party Advisory
-
https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81
Patch;Third Party Advisory
-
https://usn.ubuntu.com/3934-2/
-
https://access.redhat.com/errata/RHSA-2019:2978
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00049.html
-
https://access.redhat.com/errata/RHSA-2019:2699
-
https://usn.ubuntu.com/3903-1/
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0832
Third Party Advisory
-
https://git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf
Patch;Third Party Advisory
-
https://usn.ubuntu.com/3908-2/
Third Party Advisory
-
https://usn.ubuntu.com/3908-1/
Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html
Mailing List;Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html
-
https://usn.ubuntu.com/3910-1/
Third Party Advisory
-
https://usn.ubuntu.com/3910-2/
Third Party Advisory
-
https://support.f5.com/csp/article/K22715344
Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html
-
https://usn.ubuntu.com/3903-2/
Third Party Advisory
-
http://www.securityfocus.com/bid/106537
Third Party Advisory;VDB Entry
Products affected by CVE-2019-6133
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:a:polkit_project:polkit:0.115:*:*:*:*:*:*:*