CVE-2014-5033

CWE-362 — Race Condition7 documents7 sources

Severity

6.9MEDIUM

EPSS

0.0%

top 90.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Kauth KDE Kdelibs Canonical Ubuntu Linux

Timeline

PublishedAug 19

Latest updateMay 17

Description

KDE kdelibs before 4.14 and kauth before 5.1 does not properly use D-Bus for communication with a polkit authority, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, related to CVE-2013-4288 and "PID reuse race conditions."

CVSS vector

AV:L/AC:M/C:C/I:C/A:CExploitability: 3.4 | Impact: 10.0

Affected Packages3 packages

▶NVDkde/kauth5.0

▶NVDkde/kdelibs4.13.97+33

▶Ubuntukde4libs< 4:4.13.2a-0ubuntu0.3

Also affects: Ubuntu Linux 12.04, 14.04

Patches

Patch: quickgit.kde.org ↗Patch: quickgit.kde.org ↗

🔴Vulnerability Details

GHSA

GHSA-gh63-q3pg-7q7r: KDE kdelibs before 4↗2022-05-17

▶

CVEList

CVE-2014-5033: KDE kdelibs before 4↗2014-08-19

▶

OSV

CVE-2014-5033: KDE kdelibs before 4↗2014-07-23

▶

📋Vendor Advisories

Ubuntu

KDE-Libs vulnerability↗2014-07-31

▶

Red Hat

polkit-qt: insecure calling of polkit↗2014-03-24

▶

💬Community

Bugzilla

CVE-2014-5033 polkit-qt: insecure calling of polkit↗2014-05-06

▶