Vulnerability CVE-2020-17489

Vulnerability Name:

CVE-2020-17489 (CCN-186850)

Assigned:

2020-07-18

Published:

2020-07-18

Updated:

2021-03-26

Summary:

An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Physical Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

4.3 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
3.8 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Physical Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-522
CWE-200

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-17489

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2020:1861

Source: XF
Type: UNKNOWN
gnome-cve202017489-info-disc(186850)

Source: CCN
Type: gnome-shell GIT Repository
User Password is Visible on Logout

Source: MISC
Type: Exploit, Patch, Vendor Advisory
https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997

Source: MLIST
Type: Third Party Advisory
[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202009-08

Source: UBUNTU
Type: Third Party Advisory
USN-4464-1

Vulnerable Configuration:

Configuration 1:

cpe:/a:gnome:gnome-shell:*:*:*:*:*:*:*:* (Version <= 3.36.4)

Configuration 2:

cpe:/o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:opensuse:leap:15.2:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:gnome:gnome-shell:3.36.4:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202017489	V	CVE-2020-17489	2023-06-22
oval:org.opensuse.security:def:7895	P	gnome-extensions-41.9-150400.3.8.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:661	P	Security update for vsftpd (Moderate) (in QA)	2022-10-11
oval:org.opensuse.security:def:3562	P	libXp6-1.0.2-3.57 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3277	P	libvirt-5.1.0-11.10 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94745	P	libzip-devel-1.8.0-150400.1.7 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2905	P	dbus-1-1.12.2-150400.16.52 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:2915	P	emacs-27.2-150400.1.49 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94907	P	gnome-extensions-41.4-150400.1.7 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95192	P	gnome-shell-calendar-41.4-150400.1.7 on GA media (Moderate)	2022-06-22
oval:com.redhat.rhsa:def:20221814	P	RHSA-2022:1814: gnome-shell security and bug fix update (Low)	2022-05-10
oval:org.opensuse.security:def:1664	P	Security update for apache2-mod_auth_mellon (Moderate)	2022-05-04
oval:org.opensuse.security:def:112311	P	gnome-extensions-40.5-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:70370	P	Security update for libvirt (Important)	2022-01-05
oval:org.opensuse.security:def:51726	P	Security update for chrony (Moderate)	2021-12-22
oval:org.opensuse.security:def:64799	P	Security update for samba (Important)	2021-11-15
oval:org.opensuse.security:def:49454	P	Security update for python3 (Moderate)	2021-10-20
oval:org.opensuse.security:def:105833	P	gnome-extensions-40.5-1.1 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:49299	P	Security update for python-urllib3 (Moderate)	2021-09-29
oval:org.opensuse.security:def:96582	P	gstreamer-1.12.5-1.17 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:73692	P	Security update for java-11-openjdk (Important)	2021-09-03
oval:org.opensuse.security:def:70478	P	Security update for java-11-openjdk (Important)	2021-09-03
oval:org.opensuse.security:def:64555	P	Security update for c-ares (Important)	2021-08-17
oval:org.opensuse.security:def:2236	P	dpdk-19.11.4-1.105 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2267	P	libxmltooling-devel-3.1.0-1.26 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2226	P	apache2-mod_apparmor-2.13.6-1.31 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2255	P	libosinfo-devel-1.7.1-1.52 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2265	P	libvirt-7.1.0-4.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2229	P	apache2-mod_nss-1.0.17-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2260	P	libslirp-devel-4.3.1-1.51 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101159	P	gnome-shell-3.34.5-8.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72472	P	gnome-shell-3.34.5-8.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62753	P	gnome-shell-3.34.5-8.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:51620	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-07-27
oval:org.opensuse.security:def:101458	P	Security update for python-urllib3 (Important)	2021-06-18
oval:org.opensuse.security:def:5744	P	Security update for xstream (Important)	2021-06-17
oval:org.opensuse.security:def:5061	P	Security update for freeradius-server (Moderate)	2021-06-11
oval:org.opensuse.security:def:70882	P	cpio-2.12-1.439 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48861	P	libnewt0_52-0.52.16-1.83 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:5053	P	Security update for gstreamer-plugins-bad (Important)	2021-06-07
oval:org.opensuse.security:def:67122	P	Security update for xstream (Important)	2021-06-02
oval:org.opensuse.security:def:5712	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:5045	P	Security update for postgresql10 (Moderate)	2021-05-27
oval:org.opensuse.security:def:64692	P	Security update for libu2f-host (Moderate)	2021-05-25
oval:org.opensuse.security:def:64691	P	Security update for fribidi (Important)	2021-05-19
oval:org.opensuse.security:def:73813	P	Security update for fribidi (Important)	2021-05-19
oval:org.opensuse.security:def:67532	P	Security update for open-iscsi (Important)	2021-04-13
oval:org.opensuse.security:def:5012	P	Security update for openexr (Moderate)	2021-04-07
oval:org.opensuse.security:def:67027	P	Security update for python-bottle (Important)	2021-02-16
oval:org.opensuse.security:def:5074	P	Security update for sudo (Important)	2021-01-26
oval:org.opensuse.security:def:51892	P	Security update for dnsmasq (Important)	2021-01-19
oval:org.opensuse.security:def:2208	P	qemu-audio-oss-3.1.1.1-9.21.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2216	P	squid-4.11-5.17.2 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:4833	P	Security update for libvirt (Important)	2020-12-02
oval:org.opensuse.security:def:4913	P	Security update for ipmitool (Important)	2020-12-02
oval:org.opensuse.security:def:4787	P	Security update for apache2 (Important)	2020-12-02
oval:org.opensuse.security:def:4879	P	Security update for virglrenderer (Important)	2020-12-02
oval:org.opensuse.security:def:4987	P	Security update for jakarta-commons-fileupload (Important)	2020-12-02
oval:org.opensuse.security:def:4894	P	Security update for postgresql10 (Important)	2020-12-02
oval:org.opensuse.security:def:52567	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:49843	P	libgit2-28 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53917	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-12-01
oval:org.opensuse.security:def:70769	P	Security update for python-waitress (Moderate)	2020-12-01
oval:org.opensuse.security:def:49908	P	kernel-devel-azure on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51210	P	Security update for ppp (Important)	2020-12-01
oval:org.opensuse.security:def:52176	P	Security update for xorg-x11-server (Important)	2020-12-01
oval:org.opensuse.security:def:75013	P	Security update of chromium (Low)	2020-12-01
oval:org.opensuse.security:def:63997	P	Security update for libvpx (Moderate)	2020-12-01
oval:org.opensuse.security:def:49939	P	apache2-mod_security2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49062	P	bzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52376	P	Security update for rubygem-puma (Moderate)	2020-12-01
oval:org.opensuse.security:def:49776	P	cargo on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:75146	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-12-01
oval:org.opensuse.security:def:52449	P	Security update for cifs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:63647	P	Security update for cups (Important)	2020-12-01
oval:org.opensuse.security:def:67432	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:52486	P	Security update for MozillaThunderbird and mozilla-nspr (Important)	2020-12-01
oval:org.opensuse.security:def:51448	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:64901	P	Security update for nfs-utils (Moderate)	2020-12-01
oval:org.opensuse.security:def:52284	P	Security update for docker-runc (Moderate)	2020-12-01
oval:org.opensuse.security:def:51288	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:64226	P	chrony on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50012	P	librelp-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49204	P	liboath-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64959	P	Security update for python (Moderate)	2020-12-01
oval:org.opensuse.security:def:51350	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-12-01
oval:org.opensuse.security:def:74091	P	Security update for opencv (Moderate)	2020-12-01
oval:org.opensuse.security:def:65071	P	Security update for systemd (Important)	2020-12-01
oval:org.opensuse.security:def:63850	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:74217	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-12-01
oval:org.opensuse.security:def:49687	P	libpango-1_0-0-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:53843	P	Security update for opencv (Moderate)	2020-12-01
oval:org.opensuse.security:def:110841	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-07
oval:org.opensuse.security:def:117638	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03
oval:org.opensuse.security:def:96287	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03
oval:org.opensuse.security:def:119765	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03
oval:org.opensuse.security:def:108124	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03
oval:org.opensuse.security:def:102959	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03
oval:org.opensuse.security:def:109625	P	Security update for gnome-settings-daemon, gnome-shell (Moderate)	2020-11-03

BACK