CVE-2020-17489

low-risk

Published 2020-08-11

An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)

Do I need to act?

0.15% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

PHYSICAL / LOW complexity

Affected Products (4)

Gnome-Shell

Ubuntu Linux

Debian Linux

Leap

Affected Vendors

Debian Gnome Canonical Opensuse

References (10)

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html

Exploit https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997

Third Party Advisory https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html

Third Party Advisory https://security.gentoo.org/glsa/202009-08

Third Party Advisory https://usn.ubuntu.com/4464-1/

Third Party Advisory http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html

Exploit https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997

Third Party Advisory https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html

Third Party Advisory https://security.gentoo.org/glsa/202009-08

Third Party Advisory https://usn.ubuntu.com/4464-1/

/ 100

low-risk

Severity 15/34 · Moderate

Exploitability 1/34 · Minimal

Exposure 10/34 · Low