CVE-2003-0690 - KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which m

CVE-2003-0690

Summary

KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module.

References

Vulnerable Configurations

cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*
cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

oval via4

accepted

2007-04-25T19:52:21.414-04:00

class

vulnerability

contributors

name Jay Beale
organization Bastille Linux
name Thomas R. Jones
organization Maitreya Security

description

family

unix

oval:org.mitre.oval:def:193

status

accepted

submitted

2003-09-21T12:00:00.000-04:00

title

KDM pam_setcred Privilege Escalation Vulnerability

version

redhat via4

advisories

rhsa
id RHSA-2003:270
rhsa
id RHSA-2003:286
rhsa
id RHSA-2003:287
rhsa
id RHSA-2003:288
rhsa
id RHSA-2003:289

refmap via4

bugtraq	20030916 [KDE SECURITY ADVISORY] KDM vulnerabilities
conectiva	CLA-2003:747
confirm	http://www.kde.org/info/security/advisory-20030916-1.txt
debian	DSA-388 DSA-443
mandrake	MDKSA-2003:091
misc	http://cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.html

Last major update

11-10-2017 - 01:29

Published

06-10-2003 - 04:00

Last modified

11-10-2017 - 01:29