A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.
History

Fri, 22 Nov 2024 12:00:00 +0000


Tue, 05 Nov 2024 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:starwindsoftware:starwind_hyperconverged_appliance:-:*:*:*:*:*:*:*
Vendors & Products Starwindsoftware starwind Hyperconverged Appliance

Mon, 04 Nov 2024 16:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2022-06-27'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2022-01-28T00:00:00

Updated: 2024-11-04T14:58:43.983Z

Reserved: 2021-11-29T00:00:00

Link: CVE-2021-4034

cve-icon Vulnrichment

Updated: 2024-09-23T18:05:54.355Z

cve-icon NVD

Status : Modified

Published: 2022-01-28T20:15:12.193

Modified: 2024-11-21T06:36:45.880

Link: CVE-2021-4034

cve-icon Redhat

Severity : Important

Publid Date: 2022-01-25T17:00:00Z

Links: CVE-2021-4034 - Bugzilla