CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2021-20315
https://notcve.org/view.php?id=CVE-2021-20315
A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the "Application menu" or "Window list" GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked. Se ha encontrado un fallo de omisión de la protección de bloqueo en algunas versiones de gnome-shell tal y como se distribuye en CentOS Stream 8, cuando las extensiones de GNOME "Application menu" o "Window list" están habilitadas. Este fallo permite a un atacante físico que tenga acceso a un sistema bloqueado matar las aplicaciones existentes e iniciar otras nuevas como el usuario bloqueado, incluso si la sesión sigue bloqueada • https://bugzilla.redhat.com/show_bug.cgi?id=2006285 • CWE-667: Improper Locking •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 1CVE-2020-17489 – gnome-shell: Password from logged-out user may be shown on login screen
https://notcve.org/view.php?id=CVE-2020-17489
An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.) Se detectó un problema en determinadas configuraciones de GNOME gnome-shell versiones hasta 3.36.4. • http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997 https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html https://security.gentoo.org/glsa/202009-08 https://usn.ubuntu.com/4464-1 https://access.redhat.com/security/cve/CVE-2020-17489 https://bugzilla.redhat.com/show_bug.cgi?id=1868418 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2014-7300 – gnome-shell: lockscreen bypass with printscreen key
https://notcve.org/view.php?id=CVE-2014-7300
GNOME Shell 3.14.x before 3.14.1, when the Screen Lock feature is used, does not limit the aggregate memory consumption of all active PrtSc requests, which allows physically proximate attackers to execute arbitrary commands on an unattended workstation by making many PrtSc requests and leveraging a temporary lock outage, and the resulting temporary shell availability, caused by the Linux kernel OOM killer. GNOME Shell 3.14.x anterior a 3.14.1, cuando se utiliza la característica Screen Lock, no se limita el consumo de memoria para todas las peticiones activas PrtSc , lo que permite a atacantes cercanos físicamente ejecutar comandos arbitrarios en una estación de trabajo desatendida haciendo numerosas peticiones PrtSc y aprovechando un bloqueo temporal, y la disponibilidad de una shell resultante temporal, causada por Linux kernel OOM killer. It was found that the Gnome shell did not disable the Print Screen key when the screen was locked. This could allow an attacker with physical access to a system with a locked screen to crash the screen-locking application by creating a large amount of screenshots. • http://openwall.com/lists/oss-security/2014/09/29/17 http://rhn.redhat.com/errata/RHSA-2015-0535.html https://bugzilla.gnome.org/show_bug.cgi?id=737456 https://git.gnome.org/browse/gnome-shell/commit/?id=a72dca361080ffc9f45ff90188a7cf013c3c4013 https://git.gnome.org/browse/gnome-shell/commit/?id=f02b007337e61436aaa0e81a86ad707b6d277378 https://access.redhat.com/security/cve/CVE-2014-7300 https://bugzilla.redhat.com/show_bug.cgi?id=1147917 • CWE-305: Authentication Bypass by Primary Weakness CWE-399: Resource Management Errors •