CVE-2022-23220
USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.
Published
2022-01-21T16:15:08.193
Last Modified
2024-11-21T06:48:13.047
Status
Modified
Source
[email protected]
Severity
CVSSv3.1: 7.8 (HIGH)
CVSSv2 Vector
AV:L/AC:L/Au:N/C:C/I:C/A:C
- Access Vector: LOCAL
- Access Complexity: LOW
- Authentication: NONE
- Confidentiality Impact: COMPLETE
- Integrity Impact: COMPLETE
- Availability Impact: COMPLETE
Exploitability Score
3.9
Impact Score
10.0
Weaknesses
Affected Vendors & Products
References
-
http://www.openwall.com/lists/oss-security/2022/01/22/1
Mailing List, Third Party Advisory
([email protected])
-
https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b
Patch, Third Party Advisory
([email protected])
-
https://security.gentoo.org/glsa/202310-15
Third Party Advisory
([email protected])
-
https://www.debian.org/security/2022/dsa-5052
Third Party Advisory
([email protected])
-
https://www.openwall.com/lists/oss-security/2022/01/21/1
Exploit, Mailing List, Patch, Third Party Advisory
([email protected])
-
http://www.openwall.com/lists/oss-security/2022/01/22/1
Mailing List, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b
Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://security.gentoo.org/glsa/202310-15
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://www.debian.org/security/2022/dsa-5052
Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)
-
https://www.openwall.com/lists/oss-security/2022/01/21/1
Exploit, Mailing List, Patch, Third Party Advisory
(af854a3a-2127-422b-91ae-364da2661108)