CVE-2018-14345 — Improper Authentication in Project Sddm

CWE-287 — Improper Authentication CWE-613 — Insufficient Session Expiration8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sddm Project Sddm

Timeline

PublishedJul 17

Latest updateMay 13

Description

An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages2 packages

▶Debiansddm_project/sddm< 0.18.0-1+3

▶NVDsddm_project/sddm0.17.0

Patches

Patch: bugzilla.suse.com ↗Patch: github.com ↗Patch: bugzilla.suse.com ↗

🔴Vulnerability Details

GHSA

GHSA-4wvx-qq9g-8hh9: An issue was discovered in SDDM through 0↗2022-05-13

▶

CVEList

CVE-2018-14345: An issue was discovered in SDDM through 0↗2018-07-17

▶

OSV

CVE-2018-14345: An issue was discovered in SDDM through 0↗2018-07-17

▶

📋Vendor Advisories

Debian

CVE-2018-14345: sddm - An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=...↗2018

▶

💬Community

Bugzilla

CVE-2018-14345 sddm: Password not checked for users with an already existing session if ReuseSession=true [epel-7]↗2018-07-19

▶

Bugzilla

CVE-2018-14345 sddm: Password not checked for users with an already existing session if ReuseSession=true↗2018-07-19

▶

Bugzilla

CVE-2018-14345 sddm: Password not checked for users with an already existing session if ReuseSession=true [fedora-all]↗2018-07-19

▶