Lucene search

Redhat.comRH:CVE-2021-20315

HistorySep 22, 2021 - 9:01 a.m.

CVE-2021-20315

2021-09-2209:01:14

redhat.com

access.redhat.com

centos stream 8

gnome-shell

locking protection bypass

physical attacker

locked system manipulation

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS3

6.1

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

20.2%

JSON

A locking protection bypass flaw was found in some versions of gnome-shell as shipped within CentOS Stream 8, when the “Application menu” or “Window list” GNOME extensions are enabled. This flaw allows a physical attacker who has access to a locked system to kill existing applications and start new ones as the locked user, even if the session is still locked.

Mitigation

Disable enabled GNOME extensions, such as "Application menu" or "Window list".

References

bugzilla.redhat.com/show_bug.cgi?id=2006285

nvd.nist.gov/vuln/detail/CVE-2021-20315

www.cve.org/CVERecord?id=CVE-2021-20315

CVSS2

3.6

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS3

6.1

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

EPSS

0.001

Percentile

20.2%

JSON

Related for RH:CVE-2021-20315