CVE-2024-36041 — Insufficient Session Expiration in Plasma-workspace

CWE-613 — Insufficient Session Expiration CWE-402 — Resource Leak7 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 73.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

KDE Plasma-workspace

Timeline

PublishedJul 5

Description

KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDkde/plasma-workspace6.0.0.0 — 6.0.5.1+1

▶Debiankde/plasma-workspace< 4:5.20.5-6+deb11u1+3

🔴Vulnerability Details

GHSA

GHSA-7xfq-9m67-9j5j: KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5↗2024-07-05

▶

OSV

CVE-2024-36041: KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5↗2024-07-05

▶

CVEList

CVE-2024-36041: KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5↗2024-07-05

▶

📋Vendor Advisories

Ubuntu

Plasma Workspace vulnerability↗2024-06-26

▶

Red Hat

kernel: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw↗2024-06-19

▶

Debian

CVE-2024-36041: plasma-workspace - KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6....↗2024

▶