CVE-2018-14345

NameCVE-2018-14345
DescriptionAn issue was discovered in SDDM through 0.17.0. If configured with ReuseSession=true, the password is not checked for users with an already existing session. Any user with access to the system D-Bus can therefore unlock any graphical session. This is related to daemon/Display.cpp and helper/backend/PamBackend.cpp.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
sddm (PTS)bullseye0.19.0-3fixed
bookworm0.19.0-5fixed
forky, sid, trixie0.21.0+git20250502.4fe234b-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sddmsourcestretch(not affected)
sddmsource(unstable)0.18.0-1

Notes

[stretch] - sddm <not-affected> (Re-use session feature introduced in 0.16.0)
https://bugzilla.suse.com/show_bug.cgi?id=1101450
https://github.com/sddm/sddm/commit/147cec383892d143b5e02daa70f1e7def50f5d98
Search for package or bug name: Reporting problems