CVE-2022-23220

Publication date 21 January 2022

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.8 · High

Score breakdown

USBView 2.1 before 2.2 allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option. This affects Ubuntu, Debian, and Gentoo.

Status

Package Ubuntu Release Status
usbview 23.04 lunar
Not affected
22.10 kinetic
Not affected
22.04 LTS jammy
Fixed 2.0-21-g6fe2f4f-2ubuntu1
21.10 impish
Fixed 2.0-21-g6fe2f4f-2ubuntu0.21.10.3
21.04 hirsute Ignored end of life
20.04 LTS focal
Fixed 2.0-21-g6fe2f4f-2ubuntu0.20.04.1
18.04 LTS bionic
Fixed 2.0-21-g6fe2f4f-1ubuntu1.1
16.04 LTS xenial
Not affected

Severity score breakdown

Parameter Value
Base score 7.8 · High
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-5249-1
    • USBView vulnerability
    • 21 January 2022

Other references