Published: 18/11/2018 Updated: 24/08/2020
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 187
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

GNOME Keyring up to and including 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

gnome gnome-keyring

Vendor Advisories

Debian Bug report logs - #914154 CVE-2018-19358 Package: gnome-keyring; Maintainer for gnome-keyring is Debian GNOME Maintainers <pkg-gnome-maintainers@listsaliothdebianorg>; Source for gnome-keyring is src:gnome-keyring (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 19 Nov 2018 ...

Github Repositories

A Java library for storing secrets under linux in the gnome-keyring over the D-Bus. Like libsecret, but for Java.

Secret Service A Java library for storing secrets in a keyring over the D-Bus The library is conform to the freedesktoporg Secret Service API 02 and thus compatible with gnome linux systems The Secret Service itself is usually implemented by the gnome-keyring This library can be seen as the functional equivalent to the libsecret C library see: Secret Storage Specificati