CVE-2020-16125

Publication date 3 November 2020

Last updated 18 August 2025

Ubuntu priority

Medium

Why this priority?

Cvss 3 Severity Score

7.2 · High

Score breakdown

Description

gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can’t contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

Status

Package Ubuntu Release Status
gdm3 25.10 questing
Fixed 3.38.1-2ubuntu1.1
25.04 plucky
Fixed 3.38.1-2ubuntu1.1
24.10 oracular
Fixed 3.38.1-2ubuntu1.1
24.04 LTS noble
Fixed 3.38.1-2ubuntu1.1
23.10 mantic
Fixed 3.38.1-2ubuntu1.1
23.04 lunar
Fixed 3.38.1-2ubuntu1.1
22.10 kinetic
Fixed 3.38.1-2ubuntu1.1
22.04 LTS jammy
Fixed 3.38.1-2ubuntu1.1
21.10 impish
Fixed 3.38.1-2ubuntu1.1
21.04 hirsute
Fixed 3.38.1-2ubuntu1.1
20.10 groovy
Fixed 3.38.1-2ubuntu1.1
20.04 LTS focal
Fixed 3.36.3-0ubuntu0.20.04.2
18.04 LTS bionic
Fixed 3.28.3-0ubuntu18.04.6
16.04 LTS xenial
Vulnerable
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 7.2 · High
Attack vector Physical
Attack complexity Low
Privileges required Low
User interaction Required
Scope Changed
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

Other references