CVE-2020-16122Improper Privilege Management in Packagekit

CWE-269Improper Privilege ManagementCWE-345Insufficient Verification of Data Authenticity10 documents8 sources
Severity
7.8HIGHNVD
CNA8.2OSV3.3
EPSS
0.1%
top 76.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
PackagekitCanonical Ubuntu Linux
Timeline
PublishedNov 7
Latest updateMay 24

Description

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5packagekit/packagekit1.1.13-2ubuntu1.1.13-2ubuntu1.1+2

Also affects: Ubuntu Linux 16.04, 18.04, 20.04

🔴Vulnerability Details

4
GHSA
GHSA-jfj4-x686-g8vv: PackageKit's apt backend mistakenly treated all local debs as trusted2022-05-24
CVEList
Packagekit's apt backend lets user install untrusted local packages2020-11-07
OSV
CVE-2020-16122: PackageKit's apt backend mistakenly treated all local debs as trusted2020-11-07
OSV
packagekit vulnerabilities2020-09-24

📋Vendor Advisories

3
Red Hat
PackageKit: local user could possibly use this issue to install untrusted packages2020-09-24
Ubuntu
PackageKit vulnerabilities2020-09-24
Debian
CVE-2020-16122: packagekit - PackageKit's apt backend mistakenly treated all local debs as trusted. The apt s...2020

💬Community

2
Bugzilla
CVE-2020-16122 PackageKit: local user could possibly use this issue to install untrusted packages [fedora-all]2020-10-02
Bugzilla
CVE-2020-16122 PackageKit: local user could possibly use this issue to install untrusted packages2020-10-02
CVE-2020-16122 — Improper Privilege Management | cvebase