CVE-2013-4509

2013-11-2319:55:03

CWE-255

[email protected]

web.nvd.nist.gov

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

AI Score

6.4

Confidence

Low

EPSS

0.001

Percentile

50.8%

JSON

The default configuration of IBUS 1.5.4, and possibly 1.5.2 and earlier, when IBus.InputPurpose.PASSWORD is not set and used with GNOME 3, does not obscure the entered password characters, which allows physically proximate attackers to obtain a user password by reading the lockscreen.

Affected configurations

Nvd

Node

ibus_projectibusRange≤1.5.2

ibus_projectibusMatch1.5.4

Node

opensuseopensuseMatch13.1

VendorProductVersionCPE
ibus_projectibus*cpe:2.3:a:ibus_project:ibus:*:*:*:*:*:*:*:*
ibus_projectibus1.5.4cpe:2.3:a:ibus_project:ibus:1.5.4:*:*:*:*:*:*:*
opensuseopensuse13.1cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibus_project	ibus	*	cpe:2.3:a:ibus_project:ibus::::::::
ibus_project	ibus	1.5.4	cpe:2.3:a:ibus_project:ibus:1.5.4:::::::*
opensuse	opensuse	13.1	cpe:2.3:o:opensuse:opensuse:13.1:::::::*

References

lists.opensuse.org/opensuse-updates/2013-11/msg00036.html

lists.opensuse.org/opensuse-updates/2013-12/msg00024.html

lists.opensuse.org/opensuse-updates/2014-01/msg00045.html

bugzilla.redhat.com/show_bug.cgi?id=1027028

code.google.com/p/mozc/issues/attachmentText?id=199&aid=1990002000&name=ibus-mozc_support_ibus-1.5.4_rev2.diff&token=P62umpXGXx68XJT6zyvBA727wqE%3A1383693105690

github.com/ibus/ibus-anthy/commit/6aae0a9f145f536515e268dd6b25aa740a5edfe7

groups.google.com/forum/#%21topic/ibus-user/mvCHDO1BJUw