2.1
CVSSv2

CVE-2018-20781

Published: 12/02/2019 Updated: 24/10/2019
CVSS v2 Base Score: 2.1 | Impact Score: 2.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 187
Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

In pam/gkr-pam-module.c in GNOME Keyring prior to 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.

Vulnerability Trend

Affected Products

Vendor Product Versions
GnomeGnome Keyring0.1, 0.1.3, 0.1.4, 0.1.90, 0.1.91, 0.2.0, 0.2.1, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.5.1, 0.5.2, 0.6.0, 0.7.1, 0.7.2, 0.7.3, 0.7.91, 0.7.92, 0.8, 0.8.1, 2.19.2, 2.19.4, 2.19.4.1, 2.19.5, 2.19.6, 2.19.6.1, 2.19.90, 2.19.91, 2.20, 2.20.1, 2.20.2, 2.20.3, 2.21.3, 2.21.3.1, 2.21.3.2, 2.21.4, 2.21.5, 2.21.90, 2.21.91, 2.21.92, 2.22.0, 2.22.1, 2.22.2, 2.22.3, 2.23.5, 2.23.6, 2.23.90, 2.23.91, 2.23.92, 2.24.0, 2.24.1, 2.25.1, 2.25.2, 2.25.4, 2.25.4.1, 2.25.4.2, 2.25.5, 2.25.90, 2.25.91, 2.25.92, 2.26.0, 2.26.1, 2.26.3, 2.27.4, 2.27.5, 2.27.90, 2.27.92, 2.28.0, 2.28.1, 2.28.2, 2.29.4, 2.29.5, 2.29.90, 2.29.92, 2.30.1, 2.30.2, 2.30.3, 2.31.4, 2.31.91, 2.31.92, 2.32.0, 2.32.1, 2.91.0, 2.91.1, 2.91.2, 2.91.3, 2.91.4, 2.91.91, 2.91.92, 2.91.93, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.4, 3.1.90, 3.1.91, 3.1.92, 3.2.0, 3.2.1, 3.2.2, 3.3.1, 3.3.1.1, 3.3.2, 3.3.3, 3.3.3.1, 3.3.4, 3.3.5, 3.3.91, 3.3.92, 3.4.0, 3.4.1, 3.5.3, 3.5.4, 3.5.5, 3.5.90, 3.5.91, 3.5.92, 3.6.0, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.5, 3.7.91, 3.7.92, 3.8.0, 3.8.1, 3.8.2, 3.9.1, 3.9.90, 3.10.0, 3.10.1, 3.11.92, 3.12.0, 3.12.2, 3.13.91, 3.14.0, 3.15.90, 3.15.92, 3.16.0, 3.17.4, 3.17.91, 3.18.0, 3.18.1, 3.18.2, 3.18.3, 3.19.4, 3.19.90, 3.20.0
CanonicalUbuntu Linux14.04, 16.04

Vendor Advisories

GNOME Keyring could be made to expose sensitive information ...
In pam/gkr-pam-modulec in GNOME Keyring before 3272, the user's password is kept in a session-child process spawned from the LightDM daemon This can expose the credential in cleartext ...

Github Repositories