CVE-2019-6133

Description

In PolicyKit (aka polkit) 0.115, the "start time" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.

How to fix CVE-2019-6133

To remediate CVE-2019-6133, upgrade the affected package to a fixed version below.

Alpine/polkit—upgrade to 0.105-r10 or later
—upgrade to 4.19.16-1 or later
—upgrade to 0.105-25 or later

Is CVE-2019-6133 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 0.105-r10
from 0, < 4.19.16-1
from 0, < 0.105-25

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.7	CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-6133
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-6133