CVE-2018-20781

In pam/gkr-pam-module.c in GNOME Keyring before 3.27.2, the user's password is kept in a session-child process spawned from the LightDM daemon. This can expose the credential in cleartext.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 89%
VendorProductVersion
gnomegnome_keyring
𝑥
< 3.27.2
canonicalubuntu_linux
14.04
canonicalubuntu_linux
16.04
oraclezfs_storage_appliance_kit
8.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
gnome-keyring
bullseye
3.36.0-1
fixed
bookworm
42.1-1
fixed
sid
46.2-1
fixed
trixie
46.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
gnome-keyring
cosmic
not-affected
bionic
not-affected
xenial
Fixed 3.18.3-0ubuntu2.1
released
trusty
Fixed 3.10.1-1ubuntu4.4
released
Common Weakness Enumeration
References
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919
https://bugzilla.gnome.org/show_bug.cgi?id=781486
https://github.com/huntergregal/mimipenguin
https://github.com/huntergregal/mimipenguin/tree/d95f1e08ce79783794f38433bbf7de5abd9792da
https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3
https://gitlab.gnome.org/GNOME/gnome-keyring/tags/3.27.2
https://usn.ubuntu.com/3894-1/
https://www.oracle.com/security-alerts/cpujan2021.html
https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1772919
https://bugzilla.gnome.org/show_bug.cgi?id=781486
https://github.com/huntergregal/mimipenguin
https://github.com/huntergregal/mimipenguin/tree/d95f1e08ce79783794f38433bbf7de5abd9792da
https://gitlab.gnome.org/GNOME/gnome-keyring/issues/3
https://gitlab.gnome.org/GNOME/gnome-keyring/tags/3.27.2
https://usn.ubuntu.com/3894-1/
https://www.oracle.com/security-alerts/cpujan2021.html