CVE Vulnerabilities

CVE-2018-20781

Insufficiently Protected Credentials

Published: Feb 12, 2019 | Modified: Nov 21, 2024
CVSS 3.x
7.8
HIGH
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
2.1 LOW
AV:L/AC:L/Au:N/C:P/I:N/A:N
RedHat/V2
RedHat/V3
4.4 LOW
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Ubuntu
MEDIUM

In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the users password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.

Weakness

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Affected Software

Name Vendor Start Version End Version
Gnome_keyring Gnome * 3.27.2 (excluding)
Gnome-keyring Ubuntu trusty *
Gnome-keyring Ubuntu upstream *
Gnome-keyring Ubuntu xenial *

Potential Mitigations

References