You are here

CVE-2013-4288

Vincent (CVE) Danen's picture
Race condition in PolicyKit (aka polkit) allows local users to bypass intended PolicyKit restrictions and gain privileges by starting a setuid or pkexec process before the authorization check is performed, related to (1) the polkit_unix_process_new API function, (2) the dbus API, or (3) the --process (unix-process) option for authorization to pkcheck.

Details Source

Mitre

Public Date

2013-09-18 00:00:00

Impact

Important

Bugzilla

CVE-2013-4288 polkit: unix-process subject for authorization is racy

Bugzilla ID

1 002 375

CVSS Status

verified

Base Score

6.90

Base Metrics

AV:L/AC:M/Au:N/C:C/I:C/A:C

Acknowledgements

Red Hat would like to thank Sebastian Krahmer of the SUSE Security Team for reporting this issue.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 6 (polkit) RHSA-2013:1270 2013-09-19

CWE

CWE-362

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 polkit Not affected