一、 漏洞 CVE-2025-14338 基础信息
漏洞信息
# Polkit 输入插管默认认证禁用漏洞
## 概述
Polkit 在版本 v0.69.0 之前存在一个授权检查的竞争条件漏洞,且默认禁用身份验证,可导致与 CVE-2025-66005 相同的安全问题。
## 影响版本
Polkit 版本早于 v0.69.0。
## 细节
该漏洞源于 Polkit 授权机制中的竞争条件,当身份验证默认处于禁用状态时,攻击者可利用此竞争条件绕过正常的权限检查。
## 影响
攻击者可能利用该漏洞绕过权限控制,实现本地权限提升,获得未授权的操作权限。
神龙判断
是否为 Web 类漏洞: 未知
判断理由:
N/A
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Polkit authentication dis isabled by default in inputplumber
来源:美国国家漏洞数据库 NVD
漏洞描述信息
Polkit authentication dis isabled by default and a race condition in the Polkit authorization check in versions before v0.69.0 can lead to the same issues as in CVE-2025-66005.
来源:美国国家漏洞数据库 NVD
CVSS信息
N/A
来源:美国国家漏洞数据库 NVD
漏洞类别
访问控制不恰当
来源:美国国家漏洞数据库 NVD
漏洞标题
InputPlumber 访问控制错误漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
InputPlumber是ShadowBlip开源的一个输入设备路由守护进程。 InputPlumber存在访问控制错误漏洞,该漏洞源于授权检查存在竞争条件。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
授权问题
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2025-14338 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|
三、漏洞 CVE-2025-14338 的情报信息
标题: 1249149 – (CVE-2025-14338, CVE-2025-66005) AUDIT-TRACKER: CVE-2025-14338,CVE-2025-66005: inputplumber: dbus-file-unauthorized -- 🔗来源链接
标签:
神龙速读:- **Bug ID:** 1249149 - **Summary:** AUDIT-TRACKER: CVE-2025-14338, CVE-2025-66005: inputplumber: dbus-file-unauthorized - **Status:** IN_PROGRESS - **Product:** openSUSE Tumbleweed - **Component:** Security - **Version:** Current - **Severity:** Normal - **Classification:** openSUSE - **Alias:** CVE-2025-14338, CVE-2025-66005 - **Reported:** 2025-09-05 00:09 UTC by Tobias Görgens - **Modified:** 2026-01-19 22:16 UTC - **Assignee:** Matthias Gerstner **Key Points:** - The vulnerability relates to the InputPlumber package's D-Bus interface being unauthorized. - It involves lack of default-enabled Polkit authentication and a race condition in Polkit authorization. - Fixes are being coordinated upstream with Pull Requests to address various aspects of the report. - CVSS scores indicate a high severity due to the potential for arbitrary code execution or a local root exploit. - The embargo period has been lifted, and release of a new version is pending final testing and review.
标题: InputPlumber: Lack of D-Bus Authorization and Input Verification allows UI Input Injection and Denial-of-Service (CVE-2025-66005, CVE-2025-14338) | SUSE Security Team Blog -- 🔗来源链接
标签:
神龙速读:- **CVEs**: CVE-2025-66005, CVE-2025-14338 - **Vulnerable Component**: InputPlumber, a Linux utility part of SteamOS - **Affected Version**: 0.67.0 (and earlier) - **Vulnerabilities**: - **Lack of Authentication/Polkit Authentication Bypass**: Client authentication was either missing or bypassed, allowing unprivileged users to access D-Bus methods without authentication. - **D-Bus Methods Allowing Privilege Escalation**: - `CreateCompositeDevice` and `CreateTargetDevice` methods allow unauthorized access and privilege escalation. - **Fixes Suggested and Implemented**: - Updated Polkit authentication logic using "system bus name" subject. - Enabled Polkit authorization by default in the build process. - Used file descriptors instead of path names. - Added documentation and systemd service hardening. - **Timeline of Disclosure and Fixes**: - Initial contact with developers: November 21, 2025. - Fixes in InputPlumber version: v0.69.0. - Publication of this report: January 9, 2026. - **Publication Context**: Some security aspects remained unaddressed at the time of the report's publication.
- https://nvd.nist.gov/vuln/detail/CVE-2025-14338
四、漏洞 CVE-2025-14338 的评论
匿名用户
2026-01-15 06:08:24Zaproxy alias impedit expedita quisquam pariatur exercitationem. Nemo rerum eveniet dolores rem quia dignissimos.