3 issues skipped by the security teams:
- CVE-2016-1000002: gdm3 3.14.2 and possibly later has an information leak before screen lock
- CVE-2020-16125: gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.
- CVE-2020-27837: A flaw was found in GDM in versions prior to 18.104.22.168. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.