CVE-2013-4327

CWE-362 — Race Condition9 documents8 sources

Severity

6.9MEDIUM

EPSS

0.0%

top 90.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Systemd Project Systemd Canonical Ubuntu Linux Debian Debian Linux

Timeline

PublishedOct 3

Latest updateMay 13

Description

systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288.

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages2 packages

▶Debiansystemd< 204-5+3

▶NVDsystemd_project/systemd207

Also affects: Debian Linux 7.0, Ubuntu Linux 13.04

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-v982-v47w-8j5p: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve↗2022-05-13

▶

CVEList

CVE-2013-4327: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve↗2013-10-03

▶

OSV

CVE-2013-4327: systemd does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leve↗2013-10-03

▶

📋Vendor Advisories

Red Hat

systemd: insecure calling of polkit↗2013-09-18

▶

Ubuntu

systemd vulnerability↗2013-09-18

▶

Debian

CVE-2013-4327: systemd - systemd does not properly use D-Bus for communication with a polkit authority, w...↗2013

▶

💬Community

Bugzilla

CVE-2013-4327 systemd: insecure calling of polkit [fedora-all]↗2013-09-18

▶

Bugzilla

CVE-2013-4327 systemd: insecure calling of polkit↗2013-09-11

▶