CVE-2020-16122 HIGH

CVE-2020-16122: Packagekit's apt backend lets user install untrusted local packages

Vendor Packagekit
Product packagekit
Weakness CWE-269
Published November 7, 2020
Last update September 16, 2024

CVSS base score

8.2/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

PackageKit's apt backend mistakenly treated all local debs as trusted. The apt security model is based on repository trust and not on the contents of individual files. On sites with configured PolicyKit rules this may allow users to install malicious packages.

Key dates

02Disclosure timeline

November 7, 2020 CVE published
September 16, 2024 Record updated