CVE-2003-0690
Description
KDM in KDE 3.1.3 and earlier fails to check pam_setcred success, allowing privilege escalation via PAM module errors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KDM in KDE 3.1.3 and earlier fails to check pam_setcred success, allowing privilege escalation via PAM module errors.
Vulnerability
KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds. This allows attackers to exploit error conditions within PAM modules, such as the MIT pam_krb5 module, to gain elevated privileges. The vulnerability is present in KDE versions up to 3.1.3. [1][2][3][4]
Exploitation
An attacker can trigger error conditions in PAM modules (e.g., by providing invalid credentials or causing authentication failures) that cause pam_setcred to fail. Because KDM does not check the return value, the session may be established with incorrect credentials, potentially leading to root access. The attack requires local access to the system and the ability to interact with the KDM login process.
Impact
Successful exploitation allows an attacker to gain root privileges. The impact is complete compromise of the system's confidentiality, integrity, and availability.
Mitigation
Red Hat released updated packages as part of RHSA-2003:289, RHSA-2003:288, RHSA-2003:270, and RHSA-2003:286. Users should upgrade to the fixed versions of KDE provided in those advisories. No workaround is documented.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*+ 26 more
- cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
13- www.kde.org/info/security/advisory-20030916-1.txtnvdPatchVendor Advisory
- www.redhat.com/support/errata/RHSA-2003-270.htmlnvdPatchVendor Advisory
- cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.htmlnvd
- distro.conectiva.com.br/atualizacoes/nvd
- marc.infonvd
- www.debian.org/security/2003/dsa-388nvd
- www.debian.org/security/2004/dsa-443nvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2003-286.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-287.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-288.htmlnvd
- www.redhat.com/support/errata/RHSA-2003-289.htmlnvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A193nvd
News mentions
0No linked articles in our index yet.