CVE-2020-28049

CVE-2020-28049

Name

CVE-2020-28049

Description

An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Exploit	https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-28049
Release Notes	https://github.com/sddm/sddm/blob/v0.19.0/ChangeLog
Release Notes	https://github.com/sddm/sddm/releases
Third Party Advisory	https://www.debian.org/security/2020/dsa-4783
Mailing List	https://lists.debian.org/debian-lts-announce/2020/11/msg00009.html
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00031.html
Third Party Advisory	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GT3EX5NSQJJAKY63ENSMEDX6NYZLYY3S/

Type

URI

Exploit

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2020-28049

Release Notes

https://github.com/sddm/sddm/blob/v0.19.0/ChangeLog

Release Notes

https://github.com/sddm/sddm/releases

Third Party Advisory

https://www.debian.org/security/2020/dsa-4783

Mailing List

https://lists.debian.org/debian-lts-announce/2020/11/msg00009.html