Security Flaw in GNOME Shell Affects User Account Information Visibility
CVE-2020-17489

4.3MEDIUM

Key Information:

Vendor
Gnome
Status
Gnome-shell
Vendor
CVE Published:
11 August 2020

Summary

A security issue has been identified in specific configurations of GNOME gnome-shell versions up to 3.36.4. When a user logs out, if the password was set to display in cleartext during login, it can briefly reappear in the password box of the login dialog. This unintended visibility of the password poses a potential security risk, especially if the user left their account unattended. If the option to show the password in cleartext was not utilized, only the length of the password is disclosed, limiting the risk but still raising concerns about user privacy during the logout process.

References

https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997
x_refsource_MISC
https://usn.ubuntu.com/4464-1/
vendor-advisoryx_refsource_UBUNTU
https://security.gentoo.org/glsa/202009-08
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.