CVE-2020-16122: Packagekit's apt backend lets user install untrusted local packages
First published: Sat Nov 07 2020(Updated: )
PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.
Credit: security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PackageKit | ||
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2020-16122?
CVE-2020-16122 is classified as a medium severity vulnerability due to the potential for local users to install untrusted packages.
How do I fix CVE-2020-16122?
To fix CVE-2020-16122, update PackageKit to the latest version provided by your distribution's package manager.
Who is affected by CVE-2020-16122?
CVE-2020-16122 affects users of PackageKit on Ubuntu Linux versions 16.04, 18.04, and 20.04.
What is the impact of CVE-2020-16122?
The impact of CVE-2020-16122 is that it can allow unauthorized users to install malicious local packages.
Is CVE-2020-16122 being actively exploited?
As of the current knowledge, there are no known active exploits for CVE-2020-16122, but it remains a security concern.
- agent/weakness
- agent/type
- agent/softwarecombine
- agent/title
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/packagekit project
- canonical/packagekit
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04