Your submission was sent successfully! Close

CVE-2018-1106

Published: 23 April 2018

An authentication bypass flaw has been found in PackageKit before 1.1.10 that allows users without administrator privileges to install signed packages. A local attacker can use this vulnerability to install vulnerable packages to further compromise a system.

Priority

High

CVSS 3 base score: 5.5

Status

Package Release Status
packagekit
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was not-affected [code not present])
Patches:
Upstream: https://github.com/hughsie/PackageKit/commit/7e8a7905ea9abbd1f384f05f36a4458682cd4697

Notes

AuthorNote
mdeslaur
introduced by f176976e24e8c17b80eff222572275517c16bdad
introduced in 1.0.10

References