{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-07T12:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"}, {"name": "USN-4464-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4464-1/"}, {"name": "GLSA-202009-08", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202009-08"}, {"name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"}, {"name": "openSUSE-SU-2020:1861", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-17489", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997", "refsource": "MISC", "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"}, {"name": "USN-4464-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4464-1/"}, {"name": "GLSA-202009-08", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202009-08"}, {"name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"}, {"name": "openSUSE-SU-2020:1861", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T14:00:47.469Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"}, {"name": "USN-4464-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4464-1/"}, {"name": "GLSA-202009-08", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202009-08"}, {"name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"}, {"name": "openSUSE-SU-2020:1861", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-17489", "datePublished": "2020-08-11T20:07:26", "dateReserved": "2020-08-11T00:00:00", "dateUpdated": "2024-08-04T14:00:47.469Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gnome-shell:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E93A336-4ABA-4C22-BB51-ACDD7F43397C", "versionEndIncluding": "3.36.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"}, {"lang": "es", "value": "Se detect\u00f3 un problema en determinadas configuraciones de GNOME gnome-shell versiones hasta 3.36.4. Cuando se cierra la sesi\u00f3n de una cuenta, el cuadro de contrase\u00f1a a partir del cuadro de di\u00e1logo de inicio de sesi\u00f3n vuelve a aparecer con la contrase\u00f1a a\u00fan visible. Si el usuario ha decidido que la contrase\u00f1a se muestre en texto sin cifrar en el momento del inicio de sesi\u00f3n, estar\u00e1 visible durante un breve momento al cerrar la sesi\u00f3n. (Si la contrase\u00f1a nunca se mostr\u00f3 en texto sin cifrar, solo la longitud de la contrase\u00f1a es revelada)"}], "id": "CVE-2020-17489", "lastModified": "2021-03-26T14:46:35.967", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-11T21:15:10.837", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202009-08"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4464-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:1814", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "gnome-shell-0:3.32.2-44.el8", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2022-05-10T00:00:00Z"}], "bugzilla": {"description": "gnome-shell: Password from logged-out user may be shown on login screen", "id": "1868418", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1868418"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"], "mitigation": {"lang": "en:us", "value": "Do not use the \"view password\" context menu option when logging into gnome-shell."}, "name": "CVE-2020-17489", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gnome-shell", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2020-08-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-17489\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17489"], "statement": "This flaw does not affect gnome-shell as shipped with Red Hat Enterprise Linux 6 or 7. For 6, there is no option to view the password in the clear at login, and for 7, the login screen is killed upon login.", "threat_severity": "Low", "upstream_fix": "gnome-shell 3.37.3"}