CVE-2022-23220

Exploit

EPSS 0.09%
Veröffentlicht 21.01.2022 16:15:08
Zuletzt bearbeitet 21.11.2024 06:48:13
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Usbview Project ≫ Usbview Version < 2.2

   Canonical ≫ Ubuntu Linux Version-
   Debian ≫ Debian Linux Version-
   Gentoo ≫ Linux Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.254

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.8	1.8	5.9	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.2	3.9	10	AV:L/AC:L/Au:N/C:C/I:C/A:C

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

http://www.openwall.com/lists/oss-security/2022/01/22/1

Third Party Advisory

Mailing List

https://github.com/gregkh/usbview/commit/bf374fa4e5b9a756789dfd88efa93806a395463b

Patch

Third Party Advisory

https://security.gentoo.org/glsa/202310-15

Third Party Advisory

https://www.debian.org/security/2022/dsa-5052

Third Party Advisory

https://www.openwall.com/lists/oss-security/2022/01/21/1

Patch