CVE-2020-16125

Name
CVE-2020-16125
Description
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Third Party Advisory https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1900314
Exploit https://gitlab.gnome.org/GNOME/gdm/-/issues/642
Exploit https://securitylab.github.com/advisories/GHSL-2020-202-gdm3-LPE-unresponsive-accounts-daemon

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:gnome:gnome_display_manager:*:*:*:*:*:*:*:* gnome_display_manager >= None < 3.36.2
cpe:2.3:a:gnome:gnome_display_manager:*:*:*:*:*:*:*:* gnome_display_manager >= 3.38.0 < 3.38.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status