CVE-2018-1106

Impact:
Moderate
Public Date:
2018-04-23
CWE:
CWE-287
Bugzilla:
1565992: CVE-2018-1106 PackageKit: authentication bypass allows to install signed packages without administrator privileges
An authentication bypass flaw has been found in PackageKit that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system.

Find out more about CVE-2018-1106 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.5
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (PackageKit) RHSA-2018:1224 2018-04-24

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 8 PackageKit Will not fix
Red Hat Enterprise Linux 6 PackageKit Not affected

Acknowledgements

Red Hat would like to thank Matthias Gerstner (SUSE) for reporting this issue.

External References

Last Modified