Logic Flaw in KDE Partition Manager Allows Unrestricted Root Access
CVE-2020-27187

7.8HIGH

Key Information:

Vendor

Kde

Status
Partition Manager
Vendor
CVE Published:
26 October 2020

What is CVE-2020-27187?

A logic flaw exists in KDE Partition Manager versions prior to 4.2.0, specifically in the kpmcore_externalcommand helper. This vulnerability allows an attacker on the local machine to exploit the service that invokes D-Bus without proper validation. By manipulating the /etc/fstab file, an attacker could execute mount and other related commands while the application is running, thereby gaining full root privileges. This can lead to significant security risks, as an attacker could control the system with elevated rights.

References

https://github.com/KDE/partitionmanager/compare/v4.1.0......
x_refsource_MISC
https://kde.org/info/security/advisory-20201017-1.txt
x_refsource_CONFIRM
https://bugzilla.redhat.com/show_bug.cgi?id=1890199
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.