ID CVE-2003-0692
Summary KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.
References
Vulnerable Configurations
  • cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*
    cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
accepted 2007-04-25T19:52:23.173-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
description KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session.
family unix
id oval:org.mitre.oval:def:215
status accepted
submitted 2003-09-21T12:00:00.000-04:00
title KDM Weak Cookie Vulnerability
version 38
redhat via4
advisories
  • rhsa
    id RHSA-2003:270
  • rhsa
    id RHSA-2003:288
refmap via4
bugtraq 20030916 [KDE SECURITY ADVISORY] KDM vulnerabilities
conectiva CLA-2003:747
confirm http://www.kde.org/info/security/advisory-20030916-1.txt
debian DSA-388
mandrake MDKSA-2003:091
misc http://cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.html
Last major update 11-10-2017 - 01:29
Published 06-10-2003 - 04:00
Last modified 11-10-2017 - 01:29
Back to Top