CVE-2018-19358
Last modified
CVE-2018-19358 is a vulnerability of currently unknown severity. GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. EPSS estimates a 0.52% chance of exploitation in the next 30 days.
Description
GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket.
Metrics
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Gnome | Gnome-Keyring | <= 3.28.2 |
References
- https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365Exploit, Issue Tracking, Third Party Advisory
- https://github.com/sungjungk/keyring_crackExploit, Third Party Advisory
- https://www.youtube.com/watch?v=Do4E9ZQaPckExploit, Third Party Advisory
- https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365Exploit, Issue Tracking, Third Party Advisory
- https://github.com/sungjungk/keyring_crackExploit, Third Party Advisory
- https://www.youtube.com/watch?v=Do4E9ZQaPckExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-19358?
How severe is CVE-2018-19358?
How do I fix CVE-2018-19358?
Are you affected by CVE-2018-19358?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST