CVE-2020-28049

CWE-362 — Race Condition8 documents6 sources

Severity

6.3MEDIUM

EPSS

0.0%

top 88.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sddm Project Sddm Debian Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedNov 4

Latest updateMay 24

Description

An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.0 | Impact: 5.2

Affected Packages3 packages

▶NVDsddm_project/sddm< 0.19.0

▶Debiansddm< 0.19.0-1+3

▶NVDopensuse/leap15.1, 15.2+1

Also affects: Debian Linux 10.0, 9.0, Fedora 33

🔴Vulnerability Details

GHSA

GHSA-q868-g69p-72cw: An issue was discovered in SDDM before 0↗2022-05-24

▶

CVEList

CVE-2020-28049: An issue was discovered in SDDM before 0↗2020-11-04

▶

OSV

CVE-2020-28049: An issue was discovered in SDDM before 0↗2020-11-04

▶

📋Vendor Advisories

Debian

CVE-2020-28049: sddm - An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X serve...↗2020

▶

💬Community

Bugzilla

CVE-2020-28049 sddm: local privilege escalation due to race condition in creation of the Xauthority file [epel-all]↗2020-11-04

▶

Bugzilla

CVE-2020-28049 sddm: local privilege escalation due to race condition in creation of the Xauthority file [fedora-all]↗2020-11-04

▶

Bugzilla

CVE-2020-28049 sddm: local privilege escalation due to race condition in creation of the Xauthority file↗2020-11-04

▶