PackageKit error messages leak presence and mimetype of files to unprivileged users
CVE-2020-16121

3.3LOW

Key Information:

Vendor: Packagekit
Status: Packagekit
Vendor: CVE Published:; 7 November 2020

What is CVE-2020-16121?

PackageKit provided detailed error messages to unprivileged callers that exposed information about file presence and mimetype of files that the user would be unable to determine on its own.

Affected Version(s)

PackageKit 1.1.13-2ubuntu < 1.1.13-2ubuntu1.1

PackageKit 1.1.9-1ubuntu2 < 1.1.9-1ubuntu2.18.04.6

PackageKit 0.8.17-4ubuntu6 < 0.8.17-4ubuntu6~gcc5.4ubuntu1.5

References

https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubu...

x_refsource_MISC

https://bugs.launchpad.net/ubuntu/+source/packagekit/+bug...

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 7, 2020
Vulnerability Reserved
Jul 29, 2020

Credit

Vaisha Bernard

CVE-2020-16121 Data

JSON