PT-2019-2179 · Systemd+6 · Systemd+6

Published

2019-01-23

Updated

2024-06-15

CVE-2019-3842

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions systemd versions prior to v242-rc4

Description The issue is related to the pam systemd module of the systemd daemon, which fails to properly sanitize the environment before using the XDG SEAT variable. This could allow an attacker, in certain configurations, to set the XDG SEAT environment variable and check commands against polkit policies using the "allow active" element instead of "allow any", potentially impacting the confidentiality, integrity, and availability of protected data.

Recommendations For versions prior to v242-rc4, update to version v242-rc4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XDG SEAT variable in the pam systemd module to minimize the risk of exploitation.

Exploit

Fix

Incorrect Authorization

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-264CWE-863CWE-285

Related Identifiers

ALT-PU-2019-1690

BDU:2019-01945

CESA-2021_1611

CVE-2019-3842

DLA-1762-1

DSA-4428-1

OPENSUSE-SU-2019_1450-1

OPENSUSE-SU-2024:11420-1

RHSA-2021:1611

RHSA-2021:3900

RHSA-2021_1611

RLSA-2021:1611

SUSE-SU-2019:1265-1

SUSE-SU-2019:1364-1

SUSE-SU-2019:1364-2

SUSE-SU-2019_1364-1

SUSE-SU-2019_1364-2

USN-3938-1

Affected Products

Alt Linux

Centos

Red Hat

Rocky Linux

Suse

Ubuntu

Systemd

PT-2019-2179 · Systemd+6 · Systemd+6

CVE-2019-3842

Weakness Enumeration

Related Identifiers

Affected Products

References · 125