Use After Free Affecting systemd package, versions <244.1-0ubuntu3


Severity

medium

    Threat Intelligence

    EPSS
    0.05% (22nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-UBUNTU2004-SYSTEMD-578400
  • published 5 Feb 2020
  • disclosed 31 Mar 2020

How to fix?

Upgrade Ubuntu:20.04 systemd to version 244.1-0ubuntu3 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A heap use-after-free vulnerability was found in systemd before version v245-rc1, where asynchronous Polkit queries are performed while handling dbus messages. A local unprivileged attacker can abuse this flaw to crash systemd services or potentially execute code and elevate their privileges, by sending specially crafted dbus messages.

CVSS Scores

version 3.1
Expand this section

Snyk

7.8 medium
  • Attack Vector (AV)
    Local
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

7.8 high
Expand this section

SUSE

7.8 high
Expand this section

Red Hat

7.8 high