Vulnerability Description
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related commands, while KDE Partition Manager is running. the mount command can then be used to gain full root privileges.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kde | Partition Manager | >= 4.1.0, < 4.2.0 |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1890199Issue TrackingVendor Advisory
- https://github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0Release NotesThird Party Advisory
- https://kde.org/info/security/advisory-20201017-1.txtPatchVendor Advisory
- https://security.gentoo.org/glsa/202011-03Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1890199Issue TrackingVendor Advisory
- https://github.com/KDE/partitionmanager/compare/v4.1.0...v4.2.0Release NotesThird Party Advisory
- https://kde.org/info/security/advisory-20201017-1.txtPatchVendor Advisory
- https://security.gentoo.org/glsa/202011-03Third Party Advisory
FAQ
What is CVE-2020-27187?
CVE-2020-27187 is a vulnerability with a CVSS score of 7.8 (HIGH). An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker o...
How severe is CVE-2020-27187?
CVE-2020-27187 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-27187?
Check the references section above for vendor advisories and patch information. Affected products include: Kde Partition Manager.