Deserialization of Untrusted Data

Affecting systemd package, versions <229-4ubuntu21.8

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

A vulnerability in unit_deserialize of systemd allows an attacker to supply arbitrary state across systemd re-execution via NotifyAccess. This can be used to improperly influence systemd execution and possibly lead to root privilege escalation. Affected releases are systemd versions up to and including 239.

References

CVSS Score

9.8
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE
CVE-2018-15686
CWE
CWE-502
Snyk ID
SNYK-UBUNTU1604-SYSTEMD-305098
Disclosed
26 Oct, 2018
Published
28 Oct, 2018