cnvd - cnvd-2020-48648

cnvd-2020-48648

Vulnerability from cnvd

Title: GNOME gnome-shell密码泄露漏洞

Description:

gnome-shell是一款为GNOME桌面提供切换窗口，启动应用程序或查看通知等核心用户界面功能的shell。

GNOME gnome-shell 3.36.4及之前版本中存在安全漏洞，该漏洞源于如果在用户登录时，将密码设置为可见，注销账户时在登录对话框中会显示该明文密码。目前没有详细的漏洞细节提供。

Severity: 低

Formal description:

目前厂商未提供修复方案，请关注厂商主页： https://gitlab.gnome.org/GNOME/gnome-shell/

Reference: https://usn.ubuntu.com/4464-1/

Impacted products

Name
GNOME gnome-shell <=3.36.4

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-17489",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-17489"
    }
  },
  "description": "gnome-shell\u662f\u4e00\u6b3e\u4e3aGNOME\u684c\u9762\u63d0\u4f9b\u5207\u6362\u7a97\u53e3\uff0c\u542f\u52a8\u5e94\u7528\u7a0b\u5e8f\u6216\u67e5\u770b\u901a\u77e5\u7b49\u6838\u5fc3\u7528\u6237\u754c\u9762\u529f\u80fd\u7684shell\u3002\n\nGNOME gnome-shell 3.36.4\u53ca\u4e4b\u524d\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5982\u679c\u5728\u7528\u6237\u767b\u5f55\u65f6\uff0c\u5c06\u5bc6\u7801\u8bbe\u7f6e\u4e3a\u53ef\u89c1\uff0c\u6ce8\u9500\u8d26\u6237\u65f6\u5728\u767b\u5f55\u5bf9\u8bdd\u6846\u4e2d\u4f1a\u663e\u793a\u8be5\u660e\u6587\u5bc6\u7801\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u672a\u63d0\u4f9b\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://gitlab.gnome.org/GNOME/gnome-shell/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-48648",
  "openTime": "2020-08-27",
  "products": {
    "product": "GNOME gnome-shell \u003c=3.36.4"
  },
  "referenceLink": "https://usn.ubuntu.com/4464-1/",
  "serverity": "\u4f4e",
  "submitTime": "2020-08-20",
  "title": "GNOME gnome-shell\u5bc6\u7801\u6cc4\u9732\u6f0f\u6d1e"
}

CVE-2020-17489 (GCVE-0-2020-17489)

Vulnerability from cvelistv5

Published

2020-08-11 20:07

Modified

2024-08-04 14:00

Severity ?

CWE

Summary

An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)

References

▼	URL	Tags
	https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997	x_refsource_MISC
	https://usn.ubuntu.com/4464-1/	vendor-advisory, x_refsource_UBUNTU
	https://security.gentoo.org/glsa/202009-08	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html	mailing-list, x_refsource_MLIST
	http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html	vendor-advisory, x_refsource_SUSE

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T14:00:47.469Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"
          },
          {
            "name": "USN-4464-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4464-1/"
          },
          {
            "name": "GLSA-202009-08",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202009-08"
          },
          {
            "name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"
          },
          {
            "name": "openSUSE-SU-2020:1861",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-11-07T12:06:14",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"
        },
        {
          "name": "USN-4464-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4464-1/"
        },
        {
          "name": "GLSA-202009-08",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202009-08"
        },
        {
          "name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"
        },
        {
          "name": "openSUSE-SU-2020:1861",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-17489",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in certain configurations of GNOME gnome-shell through 3.36.4. When logging out of an account, the password box from the login dialog reappears with the password still visible. If the user had decided to have the password shown in cleartext at login time, it is then visible for a brief moment upon a logout. (If the password were never shown in cleartext, only the password length is revealed.)"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997",
              "refsource": "MISC",
              "url": "https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/2997"
            },
            {
              "name": "USN-4464-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4464-1/"
            },
            {
              "name": "GLSA-202009-08",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202009-08"
            },
            {
              "name": "[debian-lts-announce] 20200915 [SECURITY] [DLA 2374-1] gnome-shell security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00014.html"
            },
            {
              "name": "openSUSE-SU-2020:1861",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00028.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-17489",
    "datePublished": "2020-08-11T20:07:26",
    "dateReserved": "2020-08-11T00:00:00",
    "dateUpdated": "2024-08-04T14:00:47.469Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted