CVE-2018-1106 — Improper Authentication in Project Packagekit

CWE-287 — Improper Authentication8 documents8 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 92.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Packagekit Project Packagekit RED HAT INC Packagekit Canonical Ubuntu Linux +7 more

Timeline

PublishedApr 23

Latest updateMay 13

Description

An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶NVDpackagekit_project/packagekit< 1.1.10

▶CVEListV5red_hat_inc/packagekitbefore 1.1.10

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Debian Linux 9.0, Ubuntu Linux 17.10, Enterprise Linux 7.6, 7.5

🔴Vulnerability Details

GHSA

GHSA-9pvg-w7xf-pgq7: An authentication bypass flaw has been found in PackageKit before 1↗2022-05-13

▶

CVEList

CVE-2018-1106: An authentication bypass flaw has been found in PackageKit before 1↗2018-04-23

▶

OSV

CVE-2018-1106: An authentication bypass flaw has been found in PackageKit before 1↗2018-04-23

▶

📋Vendor Advisories

Ubuntu

PackageKit vulnerability↗2018-04-24

▶

Red Hat

PackageKit: authentication bypass allows to install signed packages without administrator privileges↗2018-04-23

▶

Debian

CVE-2018-1106: packagekit - An authentication bypass flaw has been found in PackageKit before 1.1.10 that al...↗2018

▶

💬Community

Bugzilla

CVE-2018-1106 PackageKit: authentication bypass allows to install signed packages without administrator privileges↗2018-04-11

▶