CVE-2014-5033
polkit-qt: insecure calling of polkit
Severity Score
6.9
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
KDE kdelibs anterior a 4.14 y kauth anterior a 5.1 no utilizan debidamente D-Bus para la comunicación con una autoridad polkit, lo que permite a usuarios locales evadir las restricciones de acceso mediante el aprovechamiento de una condición de carrera PolkitUnixProcess PolkitSubject a través de un proceso (1) setuid o (2) pkexec, relacionado con el CVE-2013-4288 y 'condiciones de carrera de reuso PID.'
It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2014-07-22 CVE Reserved
- 2014-07-31 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- 2024-08-06 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (12)
| URL | Tag | Source |
|---|---|---|
| http://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482a | X_refsource_confirm | |
| http://secunia.com/advisories/60385 | Third Party Advisory | |
| http://secunia.com/advisories/60633 | Third Party Advisory | |
| http://secunia.com/advisories/60654 | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| http://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23 | 2024-08-06 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.html | 2014-10-16 | |
| http://rhn.redhat.com/errata/RHSA-2014-1359.html | 2014-10-16 | |
| http://www.debian.org/security/2014/dsa-3004 | 2014-10-16 | |
| http://www.kde.org/info/security/advisory-20140730-1.txt | 2014-10-16 | |
| http://www.ubuntu.com/usn/USN-2304-1 | 2014-10-16 | |
| https://access.redhat.com/security/cve/CVE-2014-5033 | 2014-10-06 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1094890 | 2014-10-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Debian Search vendor "Debian" | Kde4libs Search vendor "Debian" for product "Kde4libs" | - | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04" | lts |
Affected
| ||||||
| Kde Search vendor "Kde" | Kauth Search vendor "Kde" for product "Kauth" | <= 5.0 Search vendor "Kde" for product "Kauth" and version " <= 5.0" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | <= 4.13.97 Search vendor "Kde" for product "Kdelibs" and version " <= 4.13.97" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.0 Search vendor "Kde" for product "Kdelibs" and version "4.10.0" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.1 Search vendor "Kde" for product "Kdelibs" and version "4.10.1" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.2 Search vendor "Kde" for product "Kdelibs" and version "4.10.2" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.3 Search vendor "Kde" for product "Kdelibs" and version "4.10.3" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.95 Search vendor "Kde" for product "Kdelibs" and version "4.10.95" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.10.97 Search vendor "Kde" for product "Kdelibs" and version "4.10.97" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.0 Search vendor "Kde" for product "Kdelibs" and version "4.11.0" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.1 Search vendor "Kde" for product "Kdelibs" and version "4.11.1" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.2 Search vendor "Kde" for product "Kdelibs" and version "4.11.2" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.3 Search vendor "Kde" for product "Kdelibs" and version "4.11.3" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.4 Search vendor "Kde" for product "Kdelibs" and version "4.11.4" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.5 Search vendor "Kde" for product "Kdelibs" and version "4.11.5" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.80 Search vendor "Kde" for product "Kdelibs" and version "4.11.80" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.90 Search vendor "Kde" for product "Kdelibs" and version "4.11.90" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.95 Search vendor "Kde" for product "Kdelibs" and version "4.11.95" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.11.97 Search vendor "Kde" for product "Kdelibs" and version "4.11.97" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.0 Search vendor "Kde" for product "Kdelibs" and version "4.12.0" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.1 Search vendor "Kde" for product "Kdelibs" and version "4.12.1" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.2 Search vendor "Kde" for product "Kdelibs" and version "4.12.2" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.3 Search vendor "Kde" for product "Kdelibs" and version "4.12.3" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.4 Search vendor "Kde" for product "Kdelibs" and version "4.12.4" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.5 Search vendor "Kde" for product "Kdelibs" and version "4.12.5" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.80 Search vendor "Kde" for product "Kdelibs" and version "4.12.80" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.90 Search vendor "Kde" for product "Kdelibs" and version "4.12.90" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.95 Search vendor "Kde" for product "Kdelibs" and version "4.12.95" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.12.97 Search vendor "Kde" for product "Kdelibs" and version "4.12.97" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.0 Search vendor "Kde" for product "Kdelibs" and version "4.13.0" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.1 Search vendor "Kde" for product "Kdelibs" and version "4.13.1" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.2 Search vendor "Kde" for product "Kdelibs" and version "4.13.2" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.3 Search vendor "Kde" for product "Kdelibs" and version "4.13.3" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.80 Search vendor "Kde" for product "Kdelibs" and version "4.13.80" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.90 Search vendor "Kde" for product "Kdelibs" and version "4.13.90" | - |
Affected
| ||||||
| Kde Search vendor "Kde" | Kdelibs Search vendor "Kde" for product "Kdelibs" | 4.13.95 Search vendor "Kde" for product "Kdelibs" and version "4.13.95" | - |
Affected
| ||||||