CVE-2014-5033
published 2014-08-19CVE-2014-5033: KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended…
PriorityP420medium6.9CVSS 2.0
AVLACMAuNCCICAC
EPSS
0.36%
27.7th percentile
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| kde | kauth | <= 5.0 | — |
| kde | kdelibs | <= 4.13.97 | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
| kde | kdelibs | — | — |
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
KDE-Libs vulnerability
vendor_ubuntu·2014-07-31
CVE-2014-5033 KDE-Libs vulnerability
Title: KDE-Libs vulnerability
Summary: kauth could be tricked into bypassing polkit authorizations.
It was discovered that kauth was using polkit in an unsafe manner. A local
attacker could possibly use this issue to bypass intended polkit
authorizations.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
polkit-qt: insecure calling of polkit
vendor_redhat·2014-03-24·CVSS 7.2
CVE-2014-5033 [HIGH] CWE-362 polkit-qt: insecure calling of polkit
polkit-qt: insecure calling of polkit
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
It was found that polkit-qt handled authorization requests with PolicyKit via a D-Bus API that is vulnerable to a race condition. A local user could use this flaw to bypass intended PolicyKit authorizations.
GHSA
GHSA-gh63-q3pg-7q7r: KDE kdelibs before 4
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2014-5033 [HIGH] CWE-362 GHSA-gh63-q3pg-7q7r: KDE kdelibs before 4
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
OSV
CVE-2014-5033: KDE kdelibs before 4
osv·2014-07-23·CVSS 7.2
CVE-2014-5033 [HIGH] CVE-2014-5033: KDE kdelibs before 4
KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."
No detection rules found.
No public exploits indexed.
http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.htmlhttp://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482ahttp://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23http://rhn.redhat.com/errata/RHSA-2014-1359.htmlhttp://secunia.com/advisories/60385http://secunia.com/advisories/60633http://secunia.com/advisories/60654http://www.debian.org/security/2014/dsa-3004http://www.kde.org/info/security/advisory-20140730-1.txthttp://www.ubuntu.com/usn/USN-2304-1http://lists.opensuse.org/opensuse-updates/2014-08/msg00012.htmlhttp://quickgit.kde.org/?p=kauth.git&a=commit&h=341b7d84b6d9c03cf56905cb277b47e11c81482ahttp://quickgit.kde.org/?p=kdelibs.git&a=commitdiff&h=e4e7b53b71e2659adaf52691d4accc3594203b23http://rhn.redhat.com/errata/RHSA-2014-1359.htmlhttp://secunia.com/advisories/60385http://secunia.com/advisories/60633http://secunia.com/advisories/60654http://www.debian.org/security/2014/dsa-3004http://www.kde.org/info/security/advisory-20140730-1.txthttp://www.ubuntu.com/usn/USN-2304-1
2014-08-19
Published