MidnightBSD

Advisories for shadow-maint

CVE-2023-4641

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
secalert@redhat.com 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.0 3.6

Products Affected

Vendor Product Version
redhat enterprise_linux 9.0
redhat codeready_linux_builder 8.0
redhat enterprise_linux 8.0
redhat codeready_linux_builder_for_arm64 8.0_aarch64
redhat enterprise_linux_for_ibm_z_systems 8.0_s390x
redhat enterprise_linux_for_power_little_endian 8.0_ppc64le
redhat codeready_linux_builder_for_power_little_endian 8.0_ppc64le
redhat codeready_linux_builder_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_power_little_endian 9.0_ppc64le
redhat enterprise_linux_for_ibm_z_systems 9.0_s390x
shadow-maint shadow-utils *
redhat codeready_linux_builder_for_ibm_z_systems 9.0_s390x
redhat codeready_linux_builder_for_arm64 9.0_aarch64
redhat codeready_linux_builder_for_ibm_z_systems 8.0_s390x
redhat codeready_linux_builder 9.0
redhat enterprise_linux_for_arm_64 9.0
redhat enterprise_linux_for_arm_64 8.0