{"id":"CVE-2021-3560","details":"It was found that polkit could be tricked into bypassing the credential checks for D-Bus requests, elevating the privileges of the requestor to the root user. This flaw could be used by an unprivileged local attacker to, for example, create a new local administrator. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.","modified":"2026-04-11T12:36:38.593267Z","published":"2022-02-16T19:15:08.450Z","related":["MGASA-2021-0244","SUSE-SU-2021:1842-1","SUSE-SU-2021:1843-1","SUSE-SU-2021:1844-1","openSUSE-SU-2021:0838-1","openSUSE-SU-2021:1843-1","openSUSE-SU-2024:11180-1"],"database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","extracted_events":[{"last_affected":"4.7"}],"cpe":"cpe:2.3:a:redhat:openshift_container_platform:4.7:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"4.0"}],"cpe":"cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"4.0"}],"cpe":"cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"20.04"}],"cpe":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:*:*:*:*"},{"source":"CPE_FIELD","extracted_events":[{"last_affected":"11.0"}],"cpe":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-3560"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/172836/polkit-Authentication-Bypass.html"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/172846/Facebook-Fizz-Denial-Of-Service.html"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961710"},{"type":"EVIDENCE","url":"https://github.blog/2021-06-10-privilege-escalation-polkit-root-on-linux-with-bug/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.freedesktop.org/polkit/polkit","events":[{"introduced":"0"},{"fixed":"2e5348bf4eb0ef984db32f7f96ec6722d441c6ca"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"0.119"}],"cpe":"cpe:2.3:a:polkit_project:polkit:*:*:*:*:*:*:*:*"}}],"versions":["0.100","0.101","0.102","0.103","0.104","0.105","0.106","0.107","0.108","0.109","0.110","0.111","0.112","0.113","0.114","0.115","0.116","0.117","0.118","0.91","0.92","0.93","0.94","0.95","0.96","0.97","0.98","0.99","POLICY_KIT_0_3","POLICY_KIT_0_4","POLICY_KIT_0_5","POLICY_KIT_0_6","POLICY_KIT_0_7","POLICY_KIT_0_8","POLICY_KIT_0_9","start"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3560.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}