Insufficiently protected credentials in gnome-shell - CVE-2020-17489

 

Insufficiently protected credentials in gnome-shell - CVE-2020-17489

Published: August 11, 2020 / Updated: November 19, 2020


Vulnerability identifier: #VU48557
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-17489
CWE-ID: CWE-522
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Gnome Development Team
Affected software:
gnome-shell

Detailed vulnerability description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way GNOME gnome-shell handles the password box after user logout. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. An attacker with physical access to the system can eavesdrop on the password.


How to mitigate CVE-2020-17489

Install updates from vendor's website.

Sources