First published: Tue May 18 2021(Updated: )
Red Hat Polkit contains an incorrect authorization vulnerability through the bypassing of credential checks for D-Bus requests, allowing for privilege escalation.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/polkit | <0:0.115-11.el8_4.1 | 0:0.115-11.el8_4.1 |
redhat/polkit | <0:0.115-9.el8_1.1 | 0:0.115-9.el8_1.1 |
redhat/polkit | <0:0.115-11.el8_2.1 | 0:0.115-11.el8_2.1 |
redhat/cri-o | <0:1.20.3-6.rhaos4.7.git0d0f863.el8 | 0:1.20.3-6.rhaos4.7.git0d0f863.el8 |
redhat/dhcp | <12:4.3.6-41.el8_3.1 | 12:4.3.6-41.el8_3.1 |
redhat/openshift-clients | <0:4.7.0-202106252127.p0.git.8b4b094.el7 | 0:4.7.0-202106252127.p0.git.8b4b094.el7 |
redhat/openshift-kuryr | <0:4.7.0-202106232224.p0.git.c7654fb.el8 | 0:4.7.0-202106232224.p0.git.c7654fb.el8 |
redhat/polkit | <0:0.115-11.el8_3.2 | 0:0.115-11.el8_3.2 |
redhat/redhat-virtualization-host | <0:4.4.6-20210615.0.el8_4 | 0:4.4.6-20210615.0.el8_4 |
Polkit Project Polkit | <0.119 | |
Debian Debian Linux | =11.0 | |
Canonical Ubuntu Linux | =20.04 | |
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Openshift Container Platform | =4.7 | |
Redhat Enterprise Linux | =7.0 | |
All of | ||
Any of | ||
Redhat Virtualization | =4.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux | =8.0 | |
All of | ||
Redhat Openshift Container Platform | =4.7 | |
Any of | ||
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Red Hat Polkit | ||
redhat/polkit | <0.119 | 0.119 |
<0.119 | ||
=11.0 | ||
=20.04 | ||
All of | ||
Any of | ||
=4.0 | ||
=4.0 | ||
=8.0 | ||
All of | ||
=4.7 | ||
Any of | ||
=7.0 | ||
=8.0 |
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-3560 is a vulnerability in Red Hat Polkit that allows unprivileged local attackers to bypass credential checks and elevate their privileges.
CVE-2021-3560 allows unprivileged local attackers to bypass credential checks and gain root access, potentially allowing them to create a new local administrator.
The severity of CVE-2021-3560 is high, with a CVSS score of 7.8.
To fix CVE-2021-3560, users should update Red Hat Polkit to version 0.119 or apply the appropriate security patch provided by Red Hat.
For more information about CVE-2021-3560, you can refer to the following resources: [Bugzilla - CVE-2021-3560](https://bugzilla.redhat.com/show_bug.cgi?id=1961710), [Bugzilla - CVE-2021-3560](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1967424), [Red Hat Security Advisory - RHSA-2021:2236](https://access.redhat.com/errata/RHSA-2021:2236)