製品・ソフトウェアに関する情報

JVN脆弱性詳細

KDE KWallet におけるリンク解釈に関する脆弱性

Title	KDE KWallet におけるリンク解釈に関する脆弱性
Summary	KDE KWallet には、リンク解釈に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 4, 2018, midnight
Registration Date	June 27, 2018, 5:05 p.m.
Last Update	June 27, 2018, 5:05 p.m.

Affected System

KDE project

KDE Wallet Manager 5.12.6 未満

Debian

Debian GNU/Linux

openSUSE project

openSUSE Leap

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-10380	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10380
National Vulnerability Database (NVD)
2	CVE-2018-10380	https://nvd.nist.gov/vuln/detail/CVE-2018-10380

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-59	https://jvndb.jvn.jp/ja/cwe/CWE-59.html

ベンダー情報

No	Name	URL
Bugzilla
1	Bug 1090863	https://bugzilla.suse.com/show_bug.cgi?id=1090863
Debian Security Advisory
2	DSA-4200	https://www.debian.org/security/2018/dsa-4200
KDE
3	Move salt creation to an unprivileged process (2134dec)	https://cgit.kde.org/kwallet-pam.git/commit/?id=2134dec85ce19d6378d03cddfae9e5e464cb24c0
4	Move salt creation to an unprivileged process (99abc7f)	https://cgit.kde.org/kwallet-pam.git/commit/?id=99abc7fde21f40cc6da5feb6ee766cc46fcca1f8
5	Move socket creation to unprivileged codepath (01d4143)	https://cgit.kde.org/kwallet-pam.git/commit/?id=01d4143fda5bddb6dca37b23304dc239a5fb38b5
6	Move socket creation to unprivileged codepath (802f305)	https://cgit.kde.org/kwallet-pam.git/commit/?id=802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b
KDE Project Security Advisory
7	kwallet-pam: Access to privileged files	https://www.kde.org/info/security/advisory-20180503-1.txt

Change Log

No	Changed Details	Date of change
1	[2018年06月27日] 掲載	June 27, 2018, 5:05 p.m.

NVD Vulnerability Information

CVE-2018-10380

Summary	kwallet-pam in KDE KWallet before 5.12.6 allows local users to obtain ownership of arbitrary files via a symlink attack.
Publication Date	May 8, 2018, 9:29 p.m.
Registration Date	March 1, 2021, 6:42 p.m.
Last Update	Nov. 21, 2024, 12:41 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:kde:plasma::::::::					5.12.6

Related information, measures and tools

No	URL	タグ
1	https://bugzilla.suse.com/show_bug.cgi?id=1090863	Issue Tracking Patch Third Party Advisory
2	https://bugzilla.suse.com/show_bug.cgi?id=1090863	Issue Tracking Patch Third Party Advisory
3	https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5	Patch Vendor Advisory
4	https://commits.kde.org/kwallet-pam/01d4143fda5bddb6dca37b23304dc239a5fb38b5	Patch Vendor Advisory
5	https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0	Patch Vendor Advisory
6	https://commits.kde.org/kwallet-pam/2134dec85ce19d6378d03cddfae9e5e464cb24c0	Patch Vendor Advisory
7	https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b	Patch Vendor Advisory
8	https://commits.kde.org/kwallet-pam/802f305d81f8771c4f4a8bd7fd0e368ffc6f9b3b	Patch Vendor Advisory
9	https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8	Patch Vendor Advisory
10	https://commits.kde.org/kwallet-pam/99abc7fde21f40cc6da5feb6ee766cc46fcca1f8	Patch Vendor Advisory
11	https://www.debian.org/security/2018/dsa-4200	Third Party Advisory
12	https://www.debian.org/security/2018/dsa-4200	Third Party Advisory
13	https://www.kde.org/info/security/advisory-20180503-1.txt	Patch Vendor Advisory
14	https://www.kde.org/info/security/advisory-20180503-1.txt	Patch Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-59	リンク解釈の問題	https://cwe.mitre.org/data/definitions/59.html