#VU48557 Insufficiently protected credentials in gnome-shell - CVE-2020-17489
Published: August 11, 2020 / Updated: November 19, 2020
Vulnerability identifier: #VU48557
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-17489
CWE-ID: CWE-522
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
gnome-shell
gnome-shell
Software vendor:
Gnome Development Team
Gnome Development Team
Description
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to the way GNOME gnome-shell handles the password box after user logout. When logging out of an account, the password box from the login dialog
reappears with the password still visible. If the user had decided to
have the password shown in cleartext at login time, it is then visible
for a brief moment upon a logout. An attacker with physical access to the system can eavesdrop on the password.
Remediation
Install updates from vendor's website.