// For flags

CVE-2020-16125

gdm3 would start gnome-initial-setup if it cannot contact accountservice

Severity Score

6.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

gdm3 versiones anteriores a 3.36.2 o 3.38.2, comenzaría la configuración inicial de gnom si gdm3 no puede ponerse en contacto con el servicio de cuentas por medio de dbus de manera oportuna; en Ubuntu (y potencialmente en sus derivados) esto podría enlazarse con un problema adicional que podría permitir a un usuario local crear una nueva cuenta privilegiada

A vulnerability was found in GDM. If gdm can't contact the AccountService service via DBus in a timely manner it would default to assume there are no existing users and would allow the attacker to create a new user with high privileges.

*Credits: Kevin Backhouse
CVSS Scores
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Physical
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-07-29 CVE Reserved
  • 2020-11-03 CVE Published
  • 2023-07-26 EPSS Updated
  • 2023-08-03 First Exploit
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-636: Not Failing Securely ('Failing Open')
  • CWE-754: Improper Check for Unusual or Exceptional Conditions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Gnome
Search vendor "Gnome"
Gnome Display Manager
Search vendor "Gnome" for product "Gnome Display Manager"
< 3.36.2
Search vendor "Gnome" for product "Gnome Display Manager" and version " < 3.36.2"
-
Affected
Gnome
Search vendor "Gnome"
Gnome Display Manager
Search vendor "Gnome" for product "Gnome Display Manager"
>= 3.38.0 < 3.38.2
Search vendor "Gnome" for product "Gnome Display Manager" and version " >= 3.38.0 < 3.38.2"
-
Affected