Vulnerability Details CVE-2020-28049
An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.2%
CVSS Severity
CVSS v3 Score 6.3
CVSS v2 Score 3.3
References
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00031.html
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-28049
- https://github.com/sddm/sddm/blob/v0.19.0/ChangeLog
- https://github.com/sddm/sddm/releases
- https://lists.debian.org/debian-lts-announce/2020/11/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GT3EX5NSQJJAKY63ENSMEDX6NYZLYY3S/
- https://security.gentoo.org/glsa/202402-02
- https://www.debian.org/security/2020/dsa-4783
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00031.html
- https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-28049
- https://github.com/sddm/sddm/blob/v0.19.0/ChangeLog
- https://github.com/sddm/sddm/releases
- https://lists.debian.org/debian-lts-announce/2020/11/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GT3EX5NSQJJAKY63ENSMEDX6NYZLYY3S/
- https://security.gentoo.org/glsa/202402-02
- https://www.debian.org/security/2020/dsa-4783
Products affected by CVE-2020-28049
-
cpe:2.3:a:sddm_project:sddm:-
-
cpe:2.3:a:sddm_project:sddm:0.1.0
-
cpe:2.3:a:sddm_project:sddm:0.10.0
-
cpe:2.3:a:sddm_project:sddm:0.11.0
-
cpe:2.3:a:sddm_project:sddm:0.12.0
-
cpe:2.3:a:sddm_project:sddm:0.13.0
-
cpe:2.3:a:sddm_project:sddm:0.14.0
-
cpe:2.3:a:sddm_project:sddm:0.15.0
-
cpe:2.3:a:sddm_project:sddm:0.16.0
-
cpe:2.3:a:sddm_project:sddm:0.17.0
-
cpe:2.3:a:sddm_project:sddm:0.18.0
-
cpe:2.3:a:sddm_project:sddm:0.18.1
-
cpe:2.3:a:sddm_project:sddm:0.8.99
-
cpe:2.3:a:sddm_project:sddm:0.9.0
-
cpe:2.3:o:debian:debian_linux:10.0
-
cpe:2.3:o:debian:debian_linux:9.0
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:opensuse:leap:15.2