CVE-2020-16125 HIGH

CVE-2020-16125: gdm3 would start gnome-initial-setup if it cannot contact accountservice

Vendor Gnome
Product GDM3
Weakness CWE-754
Published November 10, 2020
Last update September 17, 2024

CVSS base score

7.2/10
Attack vector Physical
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

Key dates

02Disclosure timeline

November 10, 2020 CVE published
September 17, 2024 Record updated