A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit. Reference: https://gitlab.gnome.org/GNOME/gdm/-/issues/660
Created gdm tracking bugs for this issue: Affects: fedora-all [bug 1908276]
Upstream patch: https://gitlab.gnome.org/GNOME/gdm/-/commit/dcdbaaa04012541ad2813cf83559d91d52f208b9
Low Impact assigned to this flaw due to multiple requirements being necessary: 1) automatic login needs to be enabled. This is usually not used in configurations that require high security 2) the session needs to crash once at startup, but then it should work well after that 3) it requires losing a race condition that's hard to lose without a PostSession script being installed
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27837