Vulnerability CVE-2013-4509

Vulnerability CVE-2013-4509

Published: 2013-11-23 Modified: 2013-11-24

Description:

The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.

Type:

CWE-255

(Credentials Management)

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score	Impact Subscore	Exploitability Subscore
1.9/10	2.9/10	3.4/10

Exploit range	Attack complexity	Authentication
Local	Medium	No required
Confidentiality impact	Integrity impact	Availability impact
Partial	None	None

Affected software
Opensuse -> Opensuse
Novell -> Opensuse
Ibus project -> IBUS

References:

http://lists.opensuse.org/opensuse-updates/2013-11/msg00036.html

http://lists.opensuse.org/opensuse-updates/2013-12/msg00024.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00045.html

https://bugzilla.redhat.com/show_bug.cgi?id=1027028

https://code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690

https://github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7

https://groups.google.com/forum/#!topic/ibus-user/mvCHDO1BJUw

Vulnerability CVE-2013-4509

The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.

CWE-255

CVSS2 => (AV:L/AC:M/Au:N/C:P/I:N/A:N)

1.9/10

2.9/10

3.4/10

Local

Medium

No required

Partial

None

None

Affected software

References: