MidnightBSD

Advisories for sddm_project

CVE-2014-7271 MEDIUM

Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users to log in as user "sddm" without authentication.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
fedoraproject fedora 21
fedoraproject fedora 20
sddm_project sddm *
CVE-2014-7272 HIGH

Simple Desktop Display Manager (SDDM) before 0.10.0 allows local users to gain root privileges because code running as root performs write operations within a user home directory, and this user may have created links in advance (exploitation requires the user to win a race condition in the ~/.Xauthority chown case, but not other cases).

CVSS 2.0

Severity: HIGH

Problem Type: CWE-264,

Products Affected

Vendor Product Version
fedoraproject fedora 21
fedoraproject fedora 20
sddm_project sddm *
CVE-2015-0856 MEDIUM

daemon/Greeter.cpp in sddm before 0.13.0 does not properly disable the KDE crash handler, which allows local users to gain privileges by crashing a greeter when using certain themes, as demonstrated by the plasma-workspace breeze theme.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-264,

Products Affected

Vendor Product Version
fedoraproject fedora 22
sddm_project sddm *
CVE-2018-14345 MEDIUM

An issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,CWE-613,

Products Affected

Vendor Product Version
sddm_project sddm *
CVE-2020-28049 LOW

An issue was discovered in SDDM before 0.19.0. It incorrectly starts the X server in a way that - for a short time period - allows local unprivileged users to create a connection to the X server without providing proper authentication. A local attacker can thus access X server display contents and, for example, intercept keystrokes or access the clipboard. This is caused by a race condition during Xauthority file creation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N 1.0 5.2

CVSS 2.0

Severity: LOW

Problem Type: CWE-362,CWE-362,

Products Affected

Vendor Product Version
debian debian_linux 10.0
fedoraproject fedora 33
debian debian_linux 9.0
opensuse leap 15.2
opensuse leap 15.1
sddm_project sddm *