Vulnerability Report

CVE-2018-19788

Title: Polkit Project Polkit Improper Input Validation

Improper Input Validation

Proof Of Concept

PoC Available for CVE-2018-19788

CWE Category CWE-20
Published Date Dec 03, 2018
Modified Date Nov 21, 2024
Exploit Status Available
Score 8.8 CVSS v3.0
Exploit Probability (EPSS)
59.64%

Vulnerability Summary

CVE-2018-19788: A flaw was found in PolicyKit (aka polkit) 0.115 that allows a user with a uid greater than INT_MAX to successfully execute any systemctl command.

Impacted Vendors

P
polkit_project 1
F
freedesktop 1

Reference Links

https://access.redhat.com/errata/RHSA-2019:2046 https://access.redhat.com/errata/RHSA-2019:3232 https://bugs.debian.org/915332 https://gitlab.freedesktop.org/polkit/polkit/issues/74 https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html https://security.gentoo.org/glsa/201908-14 https://usn.ubuntu.com/3861-1/ https://usn.ubuntu.com/3861-2/ https://www.debian.org/security/2018/dsa-4350 https://access.redhat.com/errata/RHSA-2019:2046 https://access.redhat.com/errata/RHSA-2019:3232 https://bugs.debian.org/915332 https://gitlab.freedesktop.org/polkit/polkit/issues/74 https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html https://security.gentoo.org/glsa/201908-14 https://security.netapp.com/advisory/ntap-20240816-0001/ https://usn.ubuntu.com/3861-1/ https://usn.ubuntu.com/3861-2/ https://www.debian.org/security/2018/dsa-4350
CVSS v3.0
Source Entity [email protected]
Severity HIGH
8.8
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
Source Entity [email protected]
Severity HIGH
9.0
Access Vector
N/A
Authentication
N/A
RAW VECTOR AV:N/AC:L/Au:S/C:C/I:C/A:C

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2018-19788 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/Ekultek/PoC
View Code
GitHub https://github.com/AbsoZed/CVE-2018-19788
View Code
GitHub https://github.com/robertdebock/ansible-role-cve_2018_19788
View Code
GitHub https://github.com/d4gh0s7/CVE-2018-19788
View Code
GitHub https://github.com/jhlongjr/CVE-2018-19788
View Code
MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.