{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-20315", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-03T17:37:23.718Z", "dateReserved": "2020-12-17T00:00:00", "datePublished": "2022-02-18T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the \"Application menu\" or \"Window list\" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked."}], "affected": [{"vendor": "n/a", "product": "gnome-shell", "versions": [{"version": "gnome-shell 3.32.2-40.el8", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006285"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-667", "cweId": "CWE-667"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:37:23.718Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006285", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnome:gnome-shell:*:*:*:*:*:*:*:*", "matchCriteriaId": "846C7D79-30CC-48F6-9970-5671C658D42A", "versionEndExcluding": "3.32.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:centos:stream:8:*:*:*:*:*:*:*", "matchCriteriaId": "CF40AED3-057A-48B0-95D2-8584EA2F13AD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the \"Application menu\" or \"Window list\" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked."}, {"lang": "es", "value": "Se ha encontrado un fallo de omisi\u00f3n de la protecci\u00f3n de bloqueo en algunas versiones de gnome-shell tal y como se distribuye en CentOS Stream 8, cuando las extensiones de GNOME \"Application menu\" o \"Window list\" est\u00e1n habilitadas. Este fallo permite a un atacante f\u00edsico que tenga acceso a un sistema bloqueado matar las aplicaciones existentes e iniciar otras nuevas como el usuario bloqueado, incluso si la sesi\u00f3n sigue bloqueada"}], "id": "CVE-2021-20315", "lastModified": "2022-12-03T01:42:03.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-18T18:15:08.800", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006285"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-667"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-667"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "gnome-shell: locking protection bypass allow unauthorized user to kill existing applications or start new ones", "id": "2006285", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2006285"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "status": "draft"}, "cwe": "CWE-667", "details": ["A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the \"Application menu\" or \"Window list\" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked.", "A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the \"Application menu\" or \"Window list\" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked."], "mitigation": {"lang": "en:us", "value": "Disable enabled GNOME extensions, such as \"Application menu\" or \"Window list\"."}, "name": "CVE-2021-20315", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "gnome-shell", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gnome-shell", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "gnome-shell", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-08-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-20315\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-20315"], "statement": "The flaw only affects some specific versions of CentOS Stream 8.\nThis issue did not affect the versions of gnome-shell as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the vulnerable code.", "threat_severity": "Moderate", "upstream_fix": "gnome-shell 3.32.2-40.el8"}