There are 3 open security issues in buster.
2 issues left for the package maintainer to handle:
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.
A flaw was found in GDM in versions prior to 22.214.171.124. A race condition in the handling of session shutdown makes it possible to bypass the lock screen for a user that has autologin enabled, accessing their session without authentication. This is similar to CVE-2017-12164, but requires more difficult conditions to exploit.
You can find information about how to handle these issues in the security team's documentation.
1 ignored issue:
gdm3 3.14.2 and possibly later has an information leak before screen lock