Multiple vulnerabilities in GNOME Display Manager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2013-4169 CVE-2010-2387 |
| CWE-ID | CWE-59 CWE-255 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
GNOME Display Manager Client/Desktop applications / Other client software |
| Vendor | Gnome Development Team |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Link following
EUVDB-ID: #VU42592
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-4169
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
GNOME Display Manager (gdm) before 2.21.1 allows local users to change permissions of arbitrary directories via a symlink attack on /tmp/.X11-unix/.
MitigationInstall update from vendor's website.
Vulnerable software versionsGNOME Display Manager: 0.7 - 2.20.10
External linkshttp://rhn.redhat.com/errata/RHSA-2013-1213.html
http://secunia.com/advisories/54661
http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=988498
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Credentials management
EUVDB-ID: #VU43243
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2010-2387
CWE-ID:
CWE-255 - Credentials Management
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
MitigationInstall update from vendor's website.
Vulnerable software versionsGNOME Display Manager: 2.20.0 - 2.20.10
External linkshttp://ftp.gnome.org/pub/GNOME/sources/gdm/2.20/gdm-2.20.11.changes
http://secunia.com/advisories/40690
http://secunia.com/advisories/40780
http://www.auscert.org.au/13123
http://www.osvdb.org/66643
http://blogs.oracle.com/sunsecurity/entry/cve_2010_2387_password_disclosure
http://bugzilla.gnome.org/show_bug.cgi?id=571846
http://exchange.xforce.ibmcloud.com/vulnerabilities/60642
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
