Difference between revisions of "Polkit"
Jump to navigation
Jump to search
↑ "CVE listing for CVE-2021-4034". Mitre. Retrieved January 25, 2022.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
↑ "PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034)". Qualys. January 25, 2022. Retrieved January 25, 2022.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
↑ "Major Linux PolicyKit security vulnerability uncovered: Pwnkit". ZDNet. January 25, 2022. Retrieved January 25, 2022.<templatestyles src="Module:Citation/CS1/styles.css"></templatestyles>
| Line 6: | Line 6: | ||
* <code>[[pkexec]]</code> command included in <code>[[policykit-1]]</code> package | * <code>[[pkexec]]</code> command included in <code>[[policykit-1]]</code> package | ||
* [[PwnKit]] ([[CVE]]-2021-4034), [[CVSS]]: High severity | * [[PwnKit]] ([[CVE]]-2021-4034), [[CVSS]]: High severity | ||
| + | |||
| + | ==Vulnerability== | ||
| + | {{Infobox bug | ||
| + | | name = PwnKit | ||
| + | | CVE = {{CVE|2021-4034}} | ||
| + | | discovered = {{Start date and age|2021|11|18|df=yes}} | ||
| + | | discoverer = Qualys Research Team | ||
| + | | affected hardware = All architectures | ||
| + | | affected software = Polkit (all versions prior to discovery) | ||
| + | | used by = Default on every major [[Linux distribution]] | ||
| + | | website = {{URL|https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034|qualys.com}} | ||
| + | }} | ||
| + | |||
| + | A memory corruption vulnerability '''PwnKit''' ([[Common Vulnerabilities and Exposures|CVE-2021-4034]]<ref>{{cite web|url=https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034|website=Mitre|title=CVE listing for CVE-2021-4034|accessdate=January 25, 2022}}</ref>) discovered in the ''pkexec'' command (installed on all major Linux distributions) was announced on January 25, 2022.<ref>{{cite web|url=https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034|website=Qualys|title=PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit's pkexec (CVE-2021-4034)|date=January 25, 2022|accessdate=January 25, 2022}}</ref><ref>{{cite web|url=https://www.zdnet.com/article/major-linux-policykit-security-vulnerability-uncovered-pwnkit/|title=Major Linux PolicyKit security vulnerability uncovered: Pwnkit|website=ZDNet|date=January 25, 2022|accessdate=January 25, 2022}}</ref> The vulnerability dates back to the original distribution from 2009. The vulnerability received a [[Common Vulnerability Scoring System|CVSS score]] of 7.8 ("High severity") reflecting serious factors involved in a possible exploit: unprivileged users can gain full root privileges, regardless of the underlying machine architecture or whether the ''polkit'' daemon is running or not. | ||
| + | |||
== Related == | == Related == | ||
Revision as of 15:30, 10 December 2023
wikipedia:Polkit Authorization Framework
https://linux.die.net/man/8/polkit
pkexeccommand included inpolicykit-1package- PwnKit (CVE-2021-4034), CVSS: High severity
Vulnerability
A memory corruption vulnerability PwnKit (CVE-2021-4034[1]) discovered in the pkexec command (installed on all major Linux distributions) was announced on January 25, 2022.[2][3] The vulnerability dates back to the original distribution from 2009. The vulnerability received a CVSS score of 7.8 ("High severity") reflecting serious factors involved in a possible exploit: unprivileged users can gain full root privileges, regardless of the underlying machine architecture or whether the polkit daemon is running or not.
Related
See also
Advertising:
