CVE-2016-3100

Published on: 07/13/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:02 PM UTC

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Kde Frameworks from Kde contain the following vulnerability:

kinit in KDE Frameworks before 5.23.0 uses weak permissions (644) for /tmp/xauth-xxx-_y, which allows local users to obtain X11 cookies of other users and consequently capture keystrokes and possibly gain privileges by reading the file.

  • CVE-2016-3100 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 8.4 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
LOCAL LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 2.1 - LOW

Access
Vector
Access
Complexity
Authentication
LOCAL LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL NONE NONE

CVE References

Description Tags Link
No Description Provided quickgit.kde.org

Inactive LinkNot Archived
URL Logo CONFIRM quickgit.kde.org/?p=kinit.git&a=commitdiff&h=72f3702dbe6cf15c06dc13da2c99c864e9022a58
Git repository browser web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM quickgit.kde.org/?p=kinit.git&a=commitdiff&h=dece8fd89979cd1a86c03bcaceef6e9221e8d8cd
No Description Provided www.kde.com
inode/x-empty
Inactive LinkNot Archived
URL Logo CONFIRM www.kde.com/announcements/kde-frameworks-5.23.0.php
363140 – World-readable X11 Cookie, easy key logger bugs.kde.org
text/html
URL Logo CONFIRM bugs.kde.org/show_bug.cgi?id=363140
openSUSE-SU-2016:1723-1: moderate: Security update for kinit lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:1723
358593 – kdeinit5 create /tmp/xauth-xxx-_y with inappropriate permission. bugs.kde.org
text/html
URL Logo CONFIRM bugs.kde.org/show_bug.cgi?id=358593
Malformed Request cve.report (archive)
text/html
URL Logo BID 91769
www.kde.org
text/plain
CONFIRM www.kde.org/info/security/advisory-20160621-1.txt

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationKdeKde FrameworksAllAllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseOpensuse13.2AllAllAll
Operating
System
OpensuseOpensuse13.2AllAllAll
  • cpe:2.3:a:kde:kde_frameworks:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*: