CVE-2019-3825
Published: 6 February 2019
A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
gdm3 Launchpad, Ubuntu, Debian |
bionic |
Released
(3.28.3-0ubuntu18.04.4)
|
| cosmic |
Released
(3.30.1-1ubuntu5.1)
|
|
| disco |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| eoan |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| focal |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| groovy |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| hirsute |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| impish |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| jammy |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| kinetic |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| lunar |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| mantic |
Released
(3.31.4+git20190225-1ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
Patches: upstream: https://gitlab.gnome.org/GNOME/gdm/commit/7726c81db92d2339fc468ed41c967f5412db66ed upstream: https://gitlab.gnome.org/GNOME/gdm/commit/d9d22a1c48a528873e3cc84a73fc868507b8dd4d upstream: https://gitlab.gnome.org/GNOME/gdm/commit/94d9fec87960e3ff5f7b75dadcde2807db148fbd upstream: https://gitlab.gnome.org/GNOME/gdm/commit/dd45295425c5a843c30aa8797b02d59ff488acb8 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 6.4 |
| Attack vector | Physical |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |