CVE-2020-27837
published 2020-12-28CVE-2020-27837: A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a…
PriorityP425medium6.4CVSS 3.1
AVPACHPRNUINSUCHIHAH
EPSS
0.22%
13.1th percentile
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | gdm3 | < gdm3 3.38.2.1-1 (bookworm) | gdm3 3.38.2.1-1 (bookworm) |
| gnome | gnome_display_manager | < 3.38.2.1 | 3.38.2.1 |
CVSS provenance
nvdv3.16.4MEDIUMCVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.04.4MEDIUMAV:L/AC:M/Au:N/C:P/I:P/A:P
osv6.4MEDIUM
vendor_debian4.1MEDIUM
vendor_redhat4.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xpm4-75c2-wrgc: A flaw was found in GDM in versions prior to 3
ghsa_unreviewed·2022-05-24·CVSS 4.1
CVE-2020-27837 [MEDIUM] CWE-362 GHSA-xpm4-75c2-wrgc: A flaw was found in GDM in versions prior to 3
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
OSV
CVE-2020-27837: A flaw was found in GDM in versions prior to 3
osv·2020-12-28·CVSS 6.4
CVE-2020-27837 [MEDIUM] CVE-2020-27837: A flaw was found in GDM in versions prior to 3
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
Red Hat
gdm: lock screen bypass when autologin is set
vendor_redhat·2020-12-11·CVSS 4.1
CVE-2020-27837 [MEDIUM] CWE-362 gdm: lock screen bypass when autologin is set
gdm: lock screen bypass when autologin is set
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
Package: gdm (Red Hat Enterprise Linux 6) - Out of support scope
Package: gdm (Red Hat Enterprise Linux 7) - Out of support scope
Package: gdm (Red Hat En
Debian
CVE-2020-27837: gdm3 - A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the h...
vendor_debian·2020·CVSS 4.1
CVE-2020-27837 [MEDIUM] CVE-2020-27837: gdm3 - A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the h...
A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
Scope: local
bookworm: resolved (fixed in 3.38.2.1-1)
bullseye: resolved (fixed in 3.38.2.1-1)
forky: resolved (fixed in 3.38.2.1-1)
sid: resolved (fixed in 3.38.2.1-1)
trixie: resolved (fixed in 3.38.2.1-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-12-28
Published