Upstream information

CVE-2020-28049 at MITRE

Description

An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.

SUSE information

Overall state of this security issue: Does not affect SUSE products

This issue is currently rated as having moderate severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 3.3
Vector AV:L/AC:M/Au:N/C:P/I:P/A:N
Access Vector Local
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None
CVSS v3 Scores
  National Vulnerability Database
Base Score 6.3
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Access Vector Local
Access Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality Impact High
Integrity Impact High
Availability Impact None
CVSSv3 Version 3.1
SUSE Bugzilla entry: 1177201 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Package Hub for SUSE Linux Enterprise 15 SP1
  • sddm >= 0.18.0-bp151.4.6.1
  • sddm-branding-SLE >= 0.18.0-bp151.4.6.1
  • sddm-branding-openSUSE >= 0.18.0-bp151.4.6.1
  • sddm-branding-upstream >= 0.18.0-bp151.4.6.1
Patchnames:
openSUSE-2020-1897
SUSE Package Hub for SUSE Linux Enterprise 15 SP2
  • sddm >= 0.18.0-bp152.5.3.1
  • sddm-branding-SLE >= 0.18.0-bp152.5.3.1
  • sddm-branding-openSUSE >= 0.18.0-bp152.5.3.1
  • sddm-branding-upstream >= 0.18.0-bp152.5.3.1
Patchnames:
openSUSE-2020-1899
openSUSE Leap 15.1
  • sddm >= 0.18.0-lp151.3.6.1
  • sddm-branding-openSUSE >= 0.18.0-lp151.3.6.1
  • sddm-branding-upstream >= 0.18.0-lp151.3.6.1
Patchnames:
openSUSE-2020-1870
openSUSE Leap 15.2
  • sddm >= 0.18.0-lp152.5.3.1
  • sddm-branding-openSUSE >= 0.18.0-lp152.5.3.1
  • sddm-branding-upstream >= 0.18.0-lp152.5.3.1
Patchnames:
openSUSE-2020-1870
openSUSE Tumbleweed
  • sddm >= 0.19.0-4.2
  • sddm-branding-openSUSE >= 0.19.0-4.2
  • sddm-branding-upstream >= 0.19.0-4.2
Patchnames:
openSUSE Tumbleweed GA sddm-0.19.0-4.2