rpm package
opensuse/gdm&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/gdm&distro=openSUSE%20Tumbleweed
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-6018 | — | < 48.0-10.1 | 48.0-10.1 | Jul 23, 2025 | A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for | ||
| CVE-2020-27837 | — | < 41.0-1.1 | 41.0-1.1 | Dec 28, 2020 | A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but re | ||
| CVE-2020-16125 | — | < 41.0-1.1 | 41.0-1.1 | Nov 10, 2020 | gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a | ||
| CVE-2019-3825 | — | < 3.38.2-2.7 | 3.38.2-2.7 | Feb 6, 2019 | A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session. | ||
| CVE-2018-14424 | — | < 3.38.2-2.7 | 3.38.2-2.7 | Aug 14, 2018 | The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or pote | ||
| CVE-2017-12164 | — | < 3.38.2-2.7 | 3.38.2-2.7 | Jul 26, 2018 | A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen. | ||
| CVE-2015-7496 | — | < 3.22.1-1.2 | 3.22.1-1.2 | Nov 24, 2015 | GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key. | ||
| CVE-2011-1709 | — | < 3.22.1-1.2 | 3.22.1-1.2 | Jun 14, 2011 | GNOME Display Manager (gdm) before 2.32.2, when glib 2.28 is used, enables execution of a web browser with the uid of the gdm account, which allows local users to gain privileges via vectors involving the x-scheme-handler/http MIME type. |
- CVE-2025-6018Jul 23, 2025affected < 48.0-10.1fixed 48.0-10.1
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for
- CVE-2020-27837Dec 28, 2020affected < 41.0-1.1fixed 41.0-1.1
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but re
- CVE-2020-16125Nov 10, 2020affected < 41.0-1.1fixed 41.0-1.1
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a
- CVE-2019-3825Feb 6, 2019affected < 3.38.2-2.7fixed 3.38.2-2.7
A vulnerability was discovered in gdm before 3.31.4. When timed login is enabled in configuration, an attacker could bypass the lock screen by selecting the timed login user and waiting for the timer to expire, at which time they would gain access to the logged-in user's session.
- CVE-2018-14424Aug 14, 2018affected < 3.38.2-2.7fixed 3.38.2-2.7
The daemon in GDM through 3.29.1 does not properly unexport display objects from its D-Bus interface when they are destroyed, which allows a local attacker to trigger a use-after-free via a specially crafted sequence of D-Bus method calls, resulting in a denial of service or pote
- CVE-2017-12164Jul 26, 2018affected < 3.38.2-2.7fixed 3.38.2-2.7
A flaw was discovered in gdm 3.24.1 where gdm greeter was no longer setting the ran_once boolean during autologin. If autologin was enabled for a victim, an attacker could simply select 'login as another user' to unlock their screen.
- CVE-2015-7496Nov 24, 2015affected < 3.22.1-1.2fixed 3.22.1-1.2
GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key.
- CVE-2011-1709Jun 14, 2011affected < 3.22.1-1.2fixed 3.22.1-1.2
GNOME Display Manager (gdm) before 2.32.2, when glib 2.28 is used, enables execution of a web browser with the uid of the gdm account, which allows local users to gain privileges via vectors involving the x-scheme-handler/http MIME type.