{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2018-19358", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-09-17T01:40:52.760Z", "dateReserved": "2018-11-18T00:00:00Z", "datePublished": "2018-11-18T19:00:00Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-10-23T15:33:21.913290"}, "descriptions": [{"lang": "en", "value": "GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket."}], "tags": ["disputed"], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365"}, {"url": "https://github.com/sungjungk/keyring_crack"}, {"url": "https://www.youtube.com/watch?v=Do4E9ZQaPck"}, {"url": "https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/5#note_1876550"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1652194#c8"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "datePublic": "2018-11-18T00:00:00"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T11:37:09.974Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365", "tags": ["x_transferred"]}, {"url": "https://github.com/sungjungk/keyring_crack", "tags": ["x_transferred"]}, {"url": "https://www.youtube.com/watch?v=Do4E9ZQaPck", "tags": ["x_transferred"]}, {"url": "https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/5#note_1876550", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1652194#c8", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gnome-keyring:*:*:*:*:*:*:*:*", "matchCriteriaId": "683C2CDF-52DB-4EDE-86C2-BDE3A35D3B52", "versionEndIncluding": "3.28.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket."}, {"lang": "es", "value": "GNOME Keyring hasta la versi\u00f3n 3.28.2 permite que usuarios locales recuperen las credenciales de inicio de sesi\u00f3n mediante una llamada API Secret Service y la interfaz D-Bus si el keyring est\u00e1 desbloqueado. Este problema es similar a CVE-2008-7320. Una perspectiva es que esto ocurre debido a que los mecanismos de protecci\u00f3n disponibles para D-Bus (relacionados con los elementos XML busconfig y policy) no se emplean."}], "id": "CVE-2018-19358", "lastModified": "2024-08-05T12:15:23.783", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-11-18T19:29:00.297", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/ubuntu/+source/gnome-keyring/+bug/1780365"}, {"source": "cve@mitre.org", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1652194#c8"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sungjungk/keyring_crack"}, {"source": "cve@mitre.org", "url": "https://gitlab.gnome.org/GNOME/gnome-keyring/-/issues/5#note_1876550"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.youtube.com/watch?v=Do4E9ZQaPck"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "gnome-keyring: login credentials retrieval via a Secret Service API call", "id": "1652194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1652194"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket."], "name": "CVE-2018-19358", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "gnome-keyring", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "gnome-keyring", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gnome-keyring", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gnome-keyring", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2018-07-06T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-19358\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-19358"], "statement": "Red Hat has determined that this flaw is not a security vulnerability pertaining to gnome-keyring as the underlying issue is that there is currently no way (except by using Flatkpak, sandboxing, containers, etc.) to completely separate user applications from each other, which in turn means it is possible for applications running in the same user session to gain access to each other's secrets.", "threat_severity": "Moderate"}