CVE-2007-4569
published 2007-09-21CVE-2007-4569: backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass…
PriorityP434medium6.8CVSS 2.0
AVLACLAuSCCICAC
EPSS
1.01%
58.9th percentile
backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
| kde | kde | — | — |
CVSS provenance
nvdv2.06.8MEDIUMAV:L/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat6.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
kdm vulnerability
vendor_ubuntu·2007-09-25
CVE-2007-4569 kdm vulnerability
Title: kdm vulnerability
Summary: kdm vulnerability
It was discovered that KDM would allow logins without password checks
under certain circumstances. If autologin was configured, and "shutdown
with password" enabled, a local user could exploit the problem and gain
root privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Red Hat
kdm password-less login vulnerability
vendor_redhat·2007-09-19·CVSS 6.8
CVE-2007-4569 [MEDIUM] kdm password-less login vulnerability
kdm password-less login vulnerability
backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.
GHSA
GHSA-mj8p-r5gp-w6p8: backend/session
ghsa_unreviewed·2022-05-01
CVE-2007-4569 [MEDIUM] GHSA-mj8p-r5gp-w6p8: backend/session
backend/session.c in KDM in KDE 3.3.0 through 3.5.7, when autologin is configured and "shutdown with password" is enabled, allows remote attackers to bypass the password requirement and login to arbitrary accounts via unspecified vectors.
No detection rules found.
Bugzilla
CVE-2007-4569 kdm password-less login vulnerability [FC6]
bugzilla·2007-09-21·CVSS 6.8
CVE-2007-4569 [MEDIUM] CVE-2007-4569 kdm password-less login vulnerability [FC6]
CVE-2007-4569 kdm password-less login vulnerability [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Ping on this. When would it be possible to roll updated packages?
---
i have built it into FC6/F7 update tree. It will be available in FC6/F7 update
soon.
Bugzilla
CVE-2007-4569 kdm password-less login vulnerability [F7]
bugzilla·2007-09-21·CVSS 6.8
CVE-2007-4569 [MEDIUM] CVE-2007-4569 kdm password-less login vulnerability [F7]
CVE-2007-4569 kdm password-less login vulnerability [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
Ping on this. When would it be possible to roll updated packages?
---
i have built it into FC6/F7 update tree. It will be available in FC6/F7 update
soon.
---
kdebase-3.5.7-13.1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-4569 kdm password-less login vulnerability
bugzilla·2007-09-12·CVSS 6.8
CVE-2007-4569 [MEDIUM] CVE-2007-4569 kdm password-less login vulnerability
CVE-2007-4569 kdm password-less login vulnerability
Dirk Mueller from KDE project has provided us with preview of upcoming KDE
security advisory for kdm:
KDE Security Advisory: KDM passwordless login vulnerability
Original Release Date: 2007-09-19
URL: http://www.kde.org/info/security/advisory-20070919-1.txt
0. References
CVE-FIXME
1. Systems affected:
KDM as shipped with KDE 3.3.0 up to including 3.5.7. KDE 3.2.x and
older and newer versions than KDE 3.5.7 are not affected.
2. Overview:
KDM can be tricked into performing a password-less login even for
accounts with a password set under certain circumstances. It
requires autologin to be configured and
"shutdown with password" enabled.
This vulnerability was discovered and reported by C. Huijgen.
3. Impact:
KDM might allow a norm
http://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://secunia.com/advisories/26894http://secunia.com/advisories/26904http://secunia.com/advisories/26915http://secunia.com/advisories/26929http://secunia.com/advisories/26977http://secunia.com/advisories/27089http://secunia.com/advisories/27096http://secunia.com/advisories/27106http://secunia.com/advisories/27180http://secunia.com/advisories/27271http://security.gentoo.org/glsa/glsa-200710-15.xmlhttp://securitytracker.com/id?1018724http://www.debian.org/security/2007/dsa-1376http://www.kde.org/info/security/advisory-20070919-1.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:190http://www.redhat.com/support/errata/RHSA-2007-0905.htmlhttp://www.securityfocus.com/bid/25730http://www.ubuntu.com/usn/usn-517-1http://www.vupen.com/english/advisories/2007/3227https://exchange.xforce.ibmcloud.com/vulnerabilities/36711https://issues.rpath.com/browse/RPL-1725https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10359https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00022.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-October/msg00084.htmlhttp://lists.opensuse.org/opensuse-security-announce/2007-10/msg00006.htmlhttp://secunia.com/advisories/26894http://secunia.com/advisories/26904http://secunia.com/advisories/26915http://secunia.com/advisories/26929http://secunia.com/advisories/26977http://secunia.com/advisories/27089http://secunia.com/advisories/27096http://secunia.com/advisories/27106http://secunia.com/advisories/27180http://secunia.com/advisories/27271http://security.gentoo.org/glsa/glsa-200710-15.xmlhttp://securitytracker.com/id?1018724http://www.debian.org/security/2007/dsa-1376http://www.kde.org/info/security/advisory-20070919-1.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:190http://www.redhat.com/support/errata/RHSA-2007-0905.htmlhttp://www.securityfocus.com/bid/25730http://www.ubuntu.com/usn/usn-517-1http://www.vupen.com/english/advisories/2007/3227https://exchange.xforce.ibmcloud.com/vulnerabilities/36711https://issues.rpath.com/browse/RPL-1725https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10359https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00022.htmlhttps://www.redhat.com/archives/fedora-package-announce/2007-October/msg00084.html
2007-09-21
Published