Published: 10/11/2020 Updated: 24/11/2020

CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9

CVSS v3 Base Score: 6.8 | Impact Score: 5.9 | Exploitability Score: 0.9

VMScore: 409

Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

gdm3 versions prior to 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnome gnome display manager

gdm before 3382 can be tricked into launching gnome-initial-setup, enabling an unprivileged user to create a new user account for themselves The new account is a member of the sudo group, so this enables the unprivileged user to obtain admin privileges ...

CVE-2020-16125-Reproduction This repository is aimed at reproducing the attack Description : Its original name is “Ubuntu gdm3 privilege escalation” , and it is found by a Github security researcher named Kevin Backhouse Its CVSS score is 46/10 (medium) and the affected environment is Ubuntu version 20041 with gdm3 version before 3362 or 3382 The vulner

CWE-754 https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1900314 https://gitlab.gnome.org/GNOME/gdm/-/issues/642 https://securitylab.github.com/advisories/GHSL-2020-202-gdm3-LPE-unresponsive-accounts-daemon https://nvd.nist.gov https://github.com/za970120604/CVE-2020-16125-Reproduction https://security.archlinux.org/CVE-2020-16125

CVE-2020-16125

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect