CVE-2018-20781

Publication date 12 February 2019

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.8 · High

Score breakdown

In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.

Status

Package Ubuntu Release Status
gnome-keyring 18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Fixed 3.18.3-0ubuntu2.1
14.04 LTS trusty
Fixed 3.10.1-1ubuntu4.4

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
gnome-keyring

Severity score breakdown

Parameter Value
Base score 7.8 · High
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-3894-1
    • GNOME Keyring vulnerability
    • 26 February 2019

Other references