{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2019/cve-2019-6133-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-04-24T11:42:30Z", "generator": { "date": "2026-04-24T11:42:30Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-6133-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2019-01-11T14:29:00Z", "revision_history": [ { "date": "2019-01-11T14:29:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-20T15:28:25Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-24T11:42:30Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2019-6133" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64", "product": { "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64", "product_id": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64", "product_identification_helper": { "purl": "pkg:deb/ubuntu/libpolkit-agent-1-dev@0.105-14.1ubuntu0.5?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "product": { "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "product_id": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "product_identification_helper": { "purl": "pkg:deb/tuxcare/libpolkit-agent-1-dev@0.105-14.1ubuntu0.5%2Btuxcare.els1?arch=amd64" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64" }, "product_reference": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64 as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64" }, "product_reference": "libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-6133", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "description", "text": "In PolicyKit (aka polkit) 0.115, the \"start time\" protection mechanism can be bypassed because fork() is not atomic, and therefore authorization decisions are improperly cached. This is related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-6133" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00049.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00049.html" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/106537", "url": "http://www.securityfocus.com/bid/106537" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:0230", "url": "https://access.redhat.com/errata/RHSA-2019:0230" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:0420", "url": "https://access.redhat.com/errata/RHSA-2019:0420" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:0832", "url": "https://access.redhat.com/errata/RHSA-2019:0832" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:2699", "url": "https://access.redhat.com/errata/RHSA-2019:2699" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:2978", "url": "https://access.redhat.com/errata/RHSA-2019:2978" }, { "category": "external", "summary": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1692", "url": "https://bugs.chromium.org/p/project-zero/issues/detail?id=1692" }, { "category": "external", "summary": "https://git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf", "url": "https://git.kernel.org/linus/7b55851367136b1efd84d98fea81ba57a98304cf" }, { "category": "external", "summary": "https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81", "url": "https://gitlab.freedesktop.org/polkit/polkit/commit/c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81" }, { "category": "external", "summary": "https://gitlab.freedesktop.org/polkit/polkit/merge_requests/19", "url": "https://gitlab.freedesktop.org/polkit/polkit/merge_requests/19" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html", "url": "https://lists.debian.org/debian-lts-announce/2019/01/msg00021.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00041.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html", "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00042.html" }, { "category": "external", "summary": "https://support.f5.com/csp/article/K22715344", "url": "https://support.f5.com/csp/article/K22715344" }, { "category": "external", "summary": "https://usn.ubuntu.com/3901-1/", "url": "https://usn.ubuntu.com/3901-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3901-2/", "url": "https://usn.ubuntu.com/3901-2/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3903-1/", "url": "https://usn.ubuntu.com/3903-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3903-2/", "url": "https://usn.ubuntu.com/3903-2/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3908-1/", "url": "https://usn.ubuntu.com/3908-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3908-2/", "url": "https://usn.ubuntu.com/3908-2/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3910-1/", "url": "https://usn.ubuntu.com/3910-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3910-2/", "url": "https://usn.ubuntu.com/3910-2/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3934-1/", "url": "https://usn.ubuntu.com/3934-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/3934-2/", "url": "https://usn.ubuntu.com/3934-2/" } ], "release_date": "2019-01-11T14:29:00Z", "remediations": [ { "category": "no_fix_planned", "details": "CVE-2019-6133 is a local, timing‑sensitive race that only becomes relevant after a user completes an interactive polkit authorization (e.g., an auth_admin_keep prompt), then relies on precise PID reuse and fork behavior to hijack the short‑lived cached authorization—making practical exploitation unreliable. In centrally managed server/VM deployments without interactive desktop sessions or reliance on polkit’s temporary authorizations, there is no cache to hijack and the issue is effectively untriggerable. Given these constraints and the absence of a remote attack path, this vulnerability can be safely deprioritized relative to remotely exploitable or non‑interactive privilege‑escalation flaws.", "product_ids": [ "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5+tuxcare.els1.amd64", "Ubuntu-16:libpolkit-agent-1-dev-0:0.105-14.1ubuntu0.5.amd64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }