Permissions, Privileges, and Access Controls in PackageKit - CVE-2013-1764
Published: April 16, 2014 / Updated: August 10, 2020
Vulnerability identifier: #VU41796
CSH Severity: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2013-1764
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PackageKit
PackageKit
Software vendor:
Richard Hughes
Richard Hughes
Description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
The Zypper (aka zypp) backend in PackageKit before 0.8.8 allows local users to downgrade packages via the "install updates" method.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00026.html
- http://www.openwall.com/lists/oss-security/2013/02/25/20
- https://bugs.freedesktop.org/show_bug.cgi?id=61231
- https://bugzilla.novell.com/show_bug.cgi?id=804983
- https://gitorious.org/packagekit/packagekit/commit/d3d14631042237bcfe6fb30a60e59bb6d94af425
- https://gitorious.org/packagekit/packagekit/source/NEWS