CVE-2003-0692
Description
KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm, enabling brute-force attacks to hijack user sessions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm, enabling brute-force attacks to hijack user sessions.
Vulnerability
KDM, the KDE Display Manager in KDE 3.1.3 and earlier, generates session cookies using a weak algorithm that does not provide 128 bits of entropy [3]. This vulnerability allows the session cookies to be guessed via brute force methods, compromising the authentication mechanism that is intended to protect user sessions.
Exploitation
An attacker with network access to the KDM service can attempt to brute-force the session cookie. No special privileges or user interaction beyond the existence of an active login session is required; the attacker simply needs to repeatedly connect and guess the cookie value [1][2]. The weak entropy makes such brute-force attacks feasible within a reasonable timeframe.
Impact
Successful exploitation allows an attacker to obtain a valid session cookie and gain unauthorized access to the target user's session. This can lead to disclosure of sensitive information, modification of files, or other actions within the scope of the compromised user's privileges [3].
Mitigation
KDE has addressed this issue in KDE 3.1.4 by improving the session cookie generation algorithm to provide full 128-bit entropy [3]. Red Hat released updates RHSA-2003:270 and RHSA-2003:288 to fix the flaw in Red Hat Linux [1][2]. Debian also published a security advisory (DSA-388) for their distributions [4]. Users should upgrade KDM to the patched version or apply the appropriate vendor update.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
29cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*+ 27 more
- cpe:2.3:o:kde:kde:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.0_beta:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.3a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.0.5b:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.1a:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:o:kde:kde:3.1.3:*:*:*:*:*:*:*
- (no CPE)range: <=3.1.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.debian.org/security/2003/dsa-388nvdPatchVendor Advisory
- www.kde.org/info/security/advisory-20030916-1.txtnvdPatchVendor Advisory
- www.redhat.com/support/errata/RHSA-2003-270.htmlnvdPatchVendor Advisory
- cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.htmlnvd
- distro.conectiva.com.br/atualizacoes/nvd
- marc.infonvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2003-288.htmlnvd
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A215nvd
News mentions
0No linked articles in our index yet.