CVE-2018-14345

An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
HIGH
LOW
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 46%
VendorProductVersion
sddm_projectsddm
𝑥
≤ 0.17.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
sddm
bullseye
0.19.0-3
fixed
stretch
not-affected
bookworm
0.19.0-5
fixed
sid
0.21.0-1.1
fixed
trixie
0.21.0-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
sddm
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
ignored
bionic
needs-triage
artful
ignored
xenial
needs-triage
trusty
dne
Common Weakness Enumeration
References
https://bugzilla.suse.com/show_bug.cgi?id=1101450
https://github.com/sddm/sddm/commit/147cec383892d143b5e02daa70f1e7def50f5d98
https://bugzilla.suse.com/show_bug.cgi?id=1101450
https://github.com/sddm/sddm/commit/147cec383892d143b5e02daa70f1e7def50f5d98