CVE-2018-1116

Impact:
Low
Public Date:
2018-07-10
CWE:
CWE-285
Bugzilla:
1595404: CVE-2018-1116 polkit: Improper authorization in polkit_backend_interactive_authority_check_authorization function in polkitd
It was found that Polkit's CheckAuthorization and RegisterAuthenticationAgent D-Bus calls did not validate the client provided UID. A specially crafted program could use this flaw to submit arbitrary UIDs, triggering various denial of service or minor disclosures, such as which authentication is cached in the victim's session.

Find out more about CVE-2018-1116 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.4
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 polkit Affected
Red Hat Enterprise Linux 6 polkit Will not fix

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.