Security Advisories

Documentation Cloud Services Solutions

CV_2022_01_1: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility HIGH

  This advisory is archived

Archived security advisories updated before March 15, 2024 have been migrated from our previous documentation site in their original format. For this reason, they may not conform to the updated look and feel of advisories published after March 15, 2024.

  • Advisory ID: CV_2022_01_1
  • Title: Local Privilege Escalation Vulnerability in Polkit's pkexec Utility
  • Severity: HIGH
  • Issued: 2022-01-29
  • Updated: 2022-01-29
  • CVSS Score Range: 7.0-8.9
  • Additional Links:

Impacted Products

The vulnerability may affect the Commvault Hyperscale products.


To fix this vulnerability, install the February 2022 Operating System updates on the Hyperscale nodes. You do not require to install maintenance releases.

For more information, see the following:

CVE Details

Info Description

A local privilege escalation vulnerability was found on polkit's pkexec utility. The pkexec application is a setuid tool designed to allow unprivileged users to run commands as privileged users according predefined policies. The current version of pkexec doesn't handle the calling parameters count correctly and ends trying to execute environment variables as commands. An attacker can leverage this by crafting environment variables in such a way it'll induce pkexec to execute arbitrary code. When successfully executed the attack can cause a local privilege escalation given unprivileged users administrative rights on the target machine.