CVE-2020-16125 — Improper Check for Unusual or Exceptional Conditions in Gdm3

CWE-754 — Improper Check for Unusual or Exceptional Conditions CWE-636 — Failing Open7 documents7 sources

Severity

6.8MEDIUMNVD

CNA7.2

EPSS

22.1%

top 4.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Gdm3 Gnome Display Manager

Timeline

PublishedNov 10

Latest updateMay 24

Description

gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5gnome/gdm33.36 — 3.36.4+1

▶NVDgnome/gnome_display_manager3.38.0 — 3.38.2+1

🔴Vulnerability Details

GHSA

GHSA-pc8h-hq5p-vf38: gdm3 versions before 3↗2022-05-24

▶

OSV

CVE-2020-16125: gdm3 versions before 3↗2020-11-10

▶

CVEList

gdm3 would start gnome-initial-setup if it cannot contact accountservice↗2020-11-10

▶

📋Vendor Advisories

Red Hat

gdm: inability to timely contact accountservice via dbus leads gnome-initial-setup to creation of account with admin privileges↗2020-11-10

▶

Ubuntu

GDM vulnerability↗2020-11-03

▶

Debian

CVE-2020-16125: gdm3 - gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 ca...↗2020

▶