CVE-2022-25327 Local Denial of Service in fscrypt PAM module

2022-02-2511:00:14

CWE-255

Google

www.cve.org

fscrypt pam module

denial of service

metadata validation

upgrade

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

5.1%

JSON

The PAM module for fscrypt doesn’t adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

CNA Affected

[
  {
    "product": "fscrypt",
    "vendor": "Google LLC",
    "versions": [
      {
        "lessThanOrEqual": "0.3.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]