Improper Authorization Affecting systemd package, versions <232-25+deb9u11
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DEBIAN9-SYSTEMD-342746
- published 9 Apr 2019
- disclosed 9 Apr 2019
Introduced: 9 Apr 2019
CVE-2019-3842 Open this link in a new tabHow to fix?
Upgrade Debian:9
systemd
to version 232-25+deb9u11 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream systemd
package and not the systemd
package as distributed by Debian
.
See How to fix?
for Debian:9
relevant fixed versions and status.
In systemd before v242-rc4, it was discovered that pam_systemd does not properly sanitize the environment before using the XDG_SEAT variable. It is possible for an attacker, in some particular configurations, to set a XDG_SEAT environment variable which allows for commands to be checked against polkit policies using the "allow_active" element rather than "allow_any".