In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.
References
Link | Resource |
---|---|
https://gitlab.gnome.org/GNOME/gnome-keyring/tags/3.27.2 | Release Notes Vendor Advisory |
https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3 | Vendor Advisory |
https://bugzilla.gnome.org/show_bug.cgi?id=781486 | Issue Tracking Patch Vendor Advisory |
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919 | Issue Tracking Patch Third Party Advisory |
https://usn.ubuntu.com/3894-1/ | Third Party Advisory |
https://github.com/huntergregal/mimipenguin/tree/d95f1e08ce79783794f38433bbf7de5abd9792da | Third Party Advisory |
https://github.com/huntergregal/mimipenguin | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2021.html | Third Party Advisory |
Configurations
Information
Published : 2019-02-12 09:29
Updated : 2021-03-16 07:02
NVD link : CVE-2018-20781
Mitre link : CVE-2018-20781
JSON object : View
CWE
CWE-522
Insufficiently Protected Credentials
Products Affected
canonical
- ubuntu_linux
oracle
- zfs_storage_appliance_kit
gnome
- gnome_keyring