Vulnerability identifier: #VU48557

Vulnerability risk: Low

CVSSv3.1: 4 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-17489

CWE-ID: CWE-522

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
gnome-shell
Client/Desktop applications / Software for system administration

Vendor: Gnome Development Team

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to the way GNOME gnome-shell handles the password box after user logout. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. An attacker with physical access to the system can eavesdrop on the password.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

gnome-shell: 3.36.0 - 3.36.4

---

External links
http://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.