CVE-2019-3825 - Vulnerability Details

A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.

No CVSS v4.0

No CVSS v3.1

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Gnome	Gnome Display Manager
Redhat	Enterprise Linux

Configuration 1 [-]

cpe:2.3:a:gnome:gnome_display_manager:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 3 [-]

cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
accountsservice-0:0.6.50-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
appstream-data-0:8-20191129.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
baobab-0:3.28.0-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
clutter-0:1.26.2-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
evince-0:3.28.4-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gdm-1:3.28.3-29.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gjs-0:1.56.2-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-boxes-0:3.28.5-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-control-center-0:3.28.2-19.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-menus-0:3.13.3-11.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-online-accounts-0:3.28.2-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-remote-desktop-0:0.1.6-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-session-0:3.28.1-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-settings-daemon-0:3.32.0-9.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-shell-0:3.32.2-14.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-software-0:3.30.6-3.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-terminal-0:3.28.3-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-tweaks-0:3.28.1-7.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gsettings-desktop-schemas-0:3.32.0-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gtk3-0:3.22.30-5.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gvfs-0:1.36.2-8.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
LibRaw-0:0.19.5-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
libvncserver-0:0.9.11-14.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
libxslt-0:1.1.32-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mozjs52-0:52.9.0-2.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mozjs60-0:60.9.0-4.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mutter-0:3.32.2-34.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
nautilus-0:3.28.1-12.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
vala-0:0.40.19-1.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
vinagre-0:3.22.0-21.el8	cpe:/a:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
accountsservice-0:0.6.50-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
appstream-data-0:8-20191129.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
baobab-0:3.28.0-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
clutter-0:1.26.2-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
evince-0:3.28.4-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gdm-1:3.28.3-29.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gjs-0:1.56.2-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-boxes-0:3.28.5-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-control-center-0:3.28.2-19.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-menus-0:3.13.3-11.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-online-accounts-0:3.28.2-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-remote-desktop-0:0.1.6-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-session-0:3.28.1-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-settings-daemon-0:3.32.0-9.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-shell-0:3.32.2-14.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-software-0:3.30.6-3.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-terminal-0:3.28.3-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gnome-tweaks-0:3.28.1-7.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gsettings-desktop-schemas-0:3.32.0-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gtk3-0:3.22.30-5.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
gvfs-0:1.36.2-8.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
LibRaw-0:0.19.5-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
libvncserver-0:0.9.11-14.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
libxslt-0:1.1.32-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mozjs52-0:52.9.0-2.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mozjs60-0:60.9.0-4.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
mutter-0:3.32.2-34.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
nautilus-0:3.28.1-12.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
vala-0:0.40.19-1.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z
vinagre-0:3.22.0-21.el8	cpe:/o:redhat:enterprise_linux:8	RHSA-2020:1766	2020-04-28T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825
https://gitlab.gnome.org/GNOME/gdm/issues/460
https://gitlab.gnome.org/GNOME/gdm/merge_requests/58
https://nvd.nist.gov/vuln/detail/CVE-2019-3825
https://usn.ubuntu.com/3892-1/
https://www.cve.org/CVERecord?id=CVE-2019-3825

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2019-02-06T20:00:00

Updated: 2024-08-04T19:19:18.680Z

Reserved: 2019-01-03T00:00:00

Link: CVE-2019-3825

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-02-06T20:29:00.447

Modified: 2024-11-21T04:42:37.413

Link: CVE-2019-3825

Redhat

Severity : Moderate

Publid Date: 2019-02-06T00:00:00Z

Links: CVE-2019-3825 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "gdm", "vendor": "The Gnome Projectr", "versions": [{"status": "affected", "version": "3.31.4"}]}], "datePublic": "2019-02-06T00:00:00", "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session."}], "metrics": [{"cvssV3_0": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-02-21T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "USN-3892-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3892-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-3825", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "gdm", "version": {"version_data": [{"version_value": "3.31.4"}]}}]}, "vendor_name": "The Gnome Projectr"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session."}]}, "impact": {"cvss": [[{"vectorString": "6.3/CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-287"}]}]}, "references": {"reference_data": [{"name": "USN-3892-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3892-1/"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.680Z"}, "title": "CVE Program Container", "references": [{"name": "USN-3892-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3892-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-3825", "datePublished": "2019-02-06T20:00:00", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-08-04T19:19:18.680Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gnome_display_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "91D07F22-A0D8-41BE-BE1A-A5A81E8306AA", "versionEndExcluding": "3.31.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session."}, {"lang": "es", "value": "Se ha descubierto una vulnerabilidad en gdm en versiones anteriores a la 3.31.4. Cuando el inicio de sesi\u00f3n temporal est\u00e1 habilitado en la configuraci\u00f3n, un atacante podr\u00eda omitir la pantalla de bloqueo, seleccionando el usuario de inicio de sesi\u00f3n temporal y esperando a que se agote el tiempo. En ese momento, obtendr\u00eda acceso a la sesi\u00f3n del usuario que ha iniciado sesi\u00f3n."}], "id": "CVE-2019-3825", "lastModified": "2024-11-21T04:42:37.413", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.4, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-02-06T20:29:00.447", "references": [{"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3892-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3825"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3892-1/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the GNOME Project for reporting this issue. Upstream acknowledges Burghard Britzke as the original reporter.", "affected_release": [{"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "accountsservice-0:0.6.50-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "appstream-data-0:8-20191129.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "baobab-0:3.28.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "clutter-0:1.26.2-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "evince-0:3.28.4-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gdm-1:3.28.3-29.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gjs-0:1.56.2-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-boxes-0:3.28.5-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-control-center-0:3.28.2-19.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-menus-0:3.13.3-11.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-online-accounts-0:3.28.2-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-remote-desktop-0:0.1.6-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-session-0:3.28.1-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-settings-daemon-0:3.32.0-9.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-shell-0:3.32.2-14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-software-0:3.30.6-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-terminal-0:3.28.3-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-tweaks-0:3.28.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gsettings-desktop-schemas-0:3.32.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gtk3-0:3.22.30-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gvfs-0:1.36.2-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "LibRaw-0:0.19.5-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libvncserver-0:0.9.11-14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "libxslt-0:1.1.32-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mozjs52-0:52.9.0-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mozjs60-0:60.9.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "mutter-0:3.32.2-34.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nautilus-0:3.28.1-12.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "vala-0:0.40.19-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "vinagre-0:3.22.0-21.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "accountsservice-0:0.6.50-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "appstream-data-0:8-20191129.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "baobab-0:3.28.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "clutter-0:1.26.2-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "evince-0:3.28.4-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gdm-1:3.28.3-29.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gjs-0:1.56.2-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-boxes-0:3.28.5-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-control-center-0:3.28.2-19.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-menus-0:3.13.3-11.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-online-accounts-0:3.28.2-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-remote-desktop-0:0.1.6-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-session-0:3.28.1-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-settings-daemon-0:3.32.0-9.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-shell-0:3.32.2-14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-software-0:3.30.6-3.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-terminal-0:3.28.3-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gnome-tweaks-0:3.28.1-7.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gsettings-desktop-schemas-0:3.32.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gtk3-0:3.22.30-5.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "gvfs-0:1.36.2-8.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "LibRaw-0:0.19.5-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libvncserver-0:0.9.11-14.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "libxslt-0:1.1.32-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "mozjs52-0:52.9.0-2.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "mozjs60-0:60.9.0-4.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "mutter-0:3.32.2-34.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "nautilus-0:3.28.1-12.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "vala-0:0.40.19-1.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}, {"advisory": "RHSA-2020:1766", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "vinagre-0:3.22.0-21.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-04-28T00:00:00Z"}], "bugzilla": {"description": "gdm: lock screen bypass when timed login is enabled", "id": "1672825", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1672825"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-287", "details": ["A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.", "A vulnerability was discovered in gdm when timed login is enabled in configuration. An attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire at which time they would gain access to the logged-in user's session."], "mitigation": {"lang": "en:us", "value": "Ensure timed login is not enabled in gdm configuration, by checking the output of:\n~~~\ngrep TimedLogin /etc/gdm/custom.conf\n~~~"}, "name": "CVE-2019-3825", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "gdm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gdm", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2019-02-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-3825\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3825\nhttps://gitlab.gnome.org/GNOME/gdm/issues/460\nhttps://gitlab.gnome.org/GNOME/gdm/merge_requests/58"], "threat_severity": "Moderate"}

Metrics

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object