CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-43090 – Gnome-shell: screenshot tool allows viewing open windows when session is locked
https://notcve.org/view.php?id=CVE-2023-43090
19 Sep 2023 — A vulnerability was found in GNOME Shell. GNOME Shell's lock screen allows an unauthenticated local user to view windows of the locked desktop session by using keyboard shortcuts to unlock the restricted functionality of the screenshot tool. Se encontró una vulnerabilidad en GNOME Shell. La pantalla de bloqueo de GNOME Shell permite a un usuario local no autenticado ver ventanas de la sesión de escritorio bloqueada mediante el uso de atajos de teclado para desbloquear la funcionalidad restringida de la herr... • https://access.redhat.com/security/cve/CVE-2023-43090 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 2%CPEs: 1EXPL: 2CVE-2023-36250
https://notcve.org/view.php?id=CVE-2023-36250
14 Sep 2023 — CSV Injection vulnerability in GNOME time tracker version 3.0.2, allows local attackers to execute arbitrary code via crafted .tsv file when creating a new record. Vulnerabilidad de Inyección CSV en el rastreador de tiempo de GNOME versión 3.0.2, permite a atacantes locales ejecutar código arbitrario a través de un archivo .tsv manipulado al crear un nuevo registro. • https://github.com/BrunoTeixeira1996/CVE-2023-36250 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3982
https://notcve.org/view.php?id=CVE-2021-3982
29 Apr 2022 — Linux distributions using CAP_SYS_NICE for gnome-shell may be exposed to a privilege escalation issue. An attacker, with low privilege permissions, may take advantage of the way CAP_SYS_NICE is currently implemented and eventually load code to increase its process scheduler priority leading to possible DoS of other services running in the same machine. Las distribuciones de Linux que usan la función CAP_SYS_NICE para gnome-shell pueden estar expuestas a un problema de escalada de privilegios. Un atacante, c... • https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2284 • CWE-273: Improper Check for Dropped Privileges •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20315
https://notcve.org/view.php?id=CVE-2021-20315
18 Feb 2022 — A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the "Application menu" or "Window list" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked. Se ha encontrado un fallo de omisión de la protección de bloqueo en algunas versiones de gnome-shell tal y como se distribuye en CentOS Stream 8, cuan... • https://bugzilla.redhat.com/show_bug.cgi?id=2006285 • CWE-667: Improper Locking •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2021-28650 – gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory (incomplete CVE-2020-36241 fix)
https://notcve.org/view.php?id=CVE-2021-28650
17 Mar 2021 — autoar-extractor.c in GNOME gnome-autoar before 0.3.1, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink in certain complex situations. NOTE: this issue exists because of an incomplete fix for CVE-2020-36241. El archivo autoar-extractor.c en GNOME gnome-autoar versiones anteriores a 0.3.1, tal y como es usado en GNOME Shell, Nautilus y otro software, permite un Salto de Directorio durante la ext... • https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/8109c368c6cfdb593faaf698c2bf5da32bb1ace4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-36241 – gnome-autoar: Directory traversal via directory symbolic links pointing outside of the destination directory
https://notcve.org/view.php?id=CVE-2020-36241
05 Feb 2021 — autoar-extractor.c in GNOME gnome-autoar through 0.2.4, as used by GNOME Shell, Nautilus, and other software, allows Directory Traversal during extraction because it lacks a check of whether a file's parent is a symlink to a directory outside of the intended extraction location. El archivo autoar-extractor.c en GNOME gnome-autoar versiones hasta 0.2.4, tal y como es usado por GNOME Shell, Nautilus y otro software, permite un Salto de Directorio durante la extracción porque presenta una falta de comprobación... • https://gitlab.gnome.org/GNOME/gnome-autoar/-/commit/adb067e645732fdbe7103516e506d09eb6a54429 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27837
https://notcve.org/view.php?id=CVE-2020-27837
28 Dec 2020 — A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit. Se encontró un fallo en GDM en versiones anteriores a 3.38.2.1. Una condición de carrera en el manejo del cierre de sesión hace posible omitir la pantalla de bloqueo para un usuario ... • https://bugzilla.redhat.com/show_bug.cgi?id=1906812 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.2EPSS: 17%CPEs: 2EXPL: 3CVE-2020-16125 – gdm3 would start gnome-initial-setup if it cannot contact accountservice
https://notcve.org/view.php?id=CVE-2020-16125
03 Nov 2020 — gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account. gdm3 versiones anteriores a 3.36.2 o 3.38.2, comenzaría la configuración inicial de gnom si gdm3 no puede ponerse en contacto con el servicio de cuentas por medio de dbus de manera oportuna; en Ubuntu (y pote... • https://github.com/za970120604/CVE-2020-16125-Reproduction • CWE-636: Not Failing Securely ('Failing Open') CWE-754: Improper Check for Unusual or Exceptional Conditions •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-17489 – gnome-shell: Password from logged-out user may be shown on login screen
https://notcve.org/view.php?id=CVE-2020-17489
11 Aug 2020 — An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.) Se detectó un problema en determinadas configuraciones de GNOME gnome-shell versiones hasta ... • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2012-6111
https://notcve.org/view.php?id=CVE-2012-6111
20 Dec 2019 — gnome-keyring does not discard stored secrets when using gnome_keyring_lock_all_sync function gnome-keyring no descarta los secretos almacenados cuando se usa la función gnome_keyring_lock_all_sync. • http://www.openwall.com/lists/oss-security/2013/01/17/4 • CWE-20: Improper Input Validation •