CVE-2020-27837 — Race Condition in Display Manager

CWE-362 — Race Condition6 documents6 sources

Severity

6.4MEDIUMNVD

CNA4.1

EPSS

0.0%

top 87.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gnome Display Manager Gnome GDM

Timeline

PublishedDec 28

Latest updateMay 24

Description

A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.

CVSS vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.5 | Impact: 5.9

Affected Packages2 packages

▶NVDgnome/gnome_display_manager< 3.38.2.1

▶CVEListV5gnome/gdmprior to 3.38.2.1

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-xpm4-75c2-wrgc: A flaw was found in GDM in versions prior to 3↗2022-05-24

▶

OSV

CVE-2020-27837: A flaw was found in GDM in versions prior to 3↗2020-12-28

▶

CVEList

CVE-2020-27837: A flaw was found in GDM in versions prior to 3↗2020-12-28

▶

📋Vendor Advisories

Red Hat

gdm: lock screen bypass when autologin is set↗2020-12-11

▶

Debian

CVE-2020-27837: gdm3 - A flaw was found in GDM in versions prior to 3.38.2.1. A race condition in the h...↗2020

▶