Vulnerability Details CVE-2020-27187
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 32.6%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 7.2
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1890199
- https://github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0
- https://kde.org/info/security/advisory-20201017-1.txt
- https://security.gentoo.org/glsa/202011-03
- https://bugzilla.redhat.com/show_bug.cgi?id=1890199
- https://github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0
- https://kde.org/info/security/advisory-20201017-1.txt
- https://security.gentoo.org/glsa/202011-03
Products affected by CVE-2020-27187
-
cpe:2.3:a:kde:partition_manager:4.1.0