Credentials management in GNOME Display Manager - CVE-2010-2387
Published: December 21, 2012 / Updated: August 11, 2020
Vulnerability identifier: #VU43243
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2010-2387
CWE-ID: CWE-255
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
GNOME Display Manager
GNOME Display Manager
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
vicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.
How to mitigate CVE-2010-2387
Install update from vendor's website.
Sources
- http://ftp.gnome.org/pub/GNOME/sources/gdm/2.20/gdm-2.20.11.changes
- http://secunia.com/advisories/40690
- http://secunia.com/advisories/40780
- http://www.auscert.org.au/13123
- http://www.osvdb.org/66643
- https://blogs.oracle.com/sunsecurity/entry/cve_2010_2387_password_disclosure
- https://bugzilla.gnome.org/show_bug.cgi?id=571846
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60642