Vulnerability Details CVE-2021-3560
It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.082
EPSS Ranking 91.7%
CVSS Severity
CVSS v3 Score 7.8
CVSS v2 Score 7.2
Proposed Action
Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.
Ransomware Campaign
Unknown
References
- http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html
- http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1961710
- https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
- http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html
- http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1961710
- https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/
Products affected by CVE-2021-3560
-
cpe:2.3:a:polkit_project:polkit:-
-
cpe:2.3:a:polkit_project:polkit:0.100
-
cpe:2.3:a:polkit_project:polkit:0.101
-
cpe:2.3:a:polkit_project:polkit:0.102
-
cpe:2.3:a:polkit_project:polkit:0.103
-
cpe:2.3:a:polkit_project:polkit:0.104
-
cpe:2.3:a:polkit_project:polkit:0.105
-
cpe:2.3:a:polkit_project:polkit:0.106
-
cpe:2.3:a:polkit_project:polkit:0.107
-
cpe:2.3:a:polkit_project:polkit:0.108
-
cpe:2.3:a:polkit_project:polkit:0.109
-
cpe:2.3:a:polkit_project:polkit:0.110
-
cpe:2.3:a:polkit_project:polkit:0.111
-
cpe:2.3:a:polkit_project:polkit:0.112
-
cpe:2.3:a:polkit_project:polkit:0.112.1
-
cpe:2.3:a:polkit_project:polkit:0.113
-
cpe:2.3:a:polkit_project:polkit:0.114
-
cpe:2.3:a:polkit_project:polkit:0.115
-
cpe:2.3:a:polkit_project:polkit:0.116
-
cpe:2.3:a:polkit_project:polkit:0.117
-
cpe:2.3:a:polkit_project:polkit:0.118
-
cpe:2.3:a:polkit_project:polkit:0.3
-
cpe:2.3:a:polkit_project:polkit:0.4
-
cpe:2.3:a:polkit_project:polkit:0.5
-
cpe:2.3:a:polkit_project:polkit:0.6
-
cpe:2.3:a:polkit_project:polkit:0.7
-
cpe:2.3:a:polkit_project:polkit:0.8
-
cpe:2.3:a:polkit_project:polkit:0.9
-
cpe:2.3:a:polkit_project:polkit:0.91
-
cpe:2.3:a:polkit_project:polkit:0.92
-
cpe:2.3:a:polkit_project:polkit:0.93
-
cpe:2.3:a:polkit_project:polkit:0.94
-
cpe:2.3:a:polkit_project:polkit:0.95
-
cpe:2.3:a:polkit_project:polkit:0.96
-
cpe:2.3:a:polkit_project:polkit:0.97
-
cpe:2.3:a:polkit_project:polkit:0.98
-
cpe:2.3:a:polkit_project:polkit:0.99
-
cpe:2.3:a:redhat:openshift_container_platform:4.7
-
cpe:2.3:a:redhat:virtualization:4.0
-
cpe:2.3:a:redhat:virtualization_host:4.0
-
cpe:2.3:o:canonical:ubuntu_linux:20.04
-
cpe:2.3:o:debian:debian_linux:11.0
-
cpe:2.3:o:redhat:enterprise_linux:7.0
-
cpe:2.3:o:redhat:enterprise_linux:8.0