Lucene search
RedhatCVELIST:CVE-2023-4641HistoryDec 27, 2023 - 3:43 p.m.
CVE-2023-4641 Shadow-utils: possible password leak during passwd(1) change
2023-12-2715:43:22
CWE-303
redhat
www.cve.org
cve-2023-4641
shadow-utils
password leak
memory attack
security flaw
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.2%
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
CNA Affected
[
{
"versions": [
{
"status": "unaffected",
"version": "4.14.0-rc1",
"lessThan": "*",
"versionType": "semver"
}
],
"packageName": "shadow-utils",
"collectionURL": "https://github.com/shadow-maint/shadow",
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "affected",
"versions": [
{
"version": "2:4.6-19.el8",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:enterprise_linux:8::crb",
"cpe:/o:redhat:enterprise_linux:8::baseos"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8.6 Extended Update Support",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "affected",
"versions": [
{
"version": "2:4.6-17.el8_6",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/o:redhat:rhel_eus:8.6::baseos",
"cpe:/a:redhat:rhel_eus:8.6::crb"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 8.8 Extended Update Support",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "affected",
"versions": [
{
"version": "2:4.6-17.el8_8.2",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/o:redhat:rhel_eus:8.8::baseos",
"cpe:/a:redhat:rhel_eus:8.8::crb"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 9",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "affected",
"versions": [
{
"version": "2:4.9-8.el9",
"lessThan": "*",
"versionType": "rpm",
"status": "unaffected"
}
],
"cpes": [
"cpe:/a:redhat:enterprise_linux:9::crb",
"cpe:/o:redhat:enterprise_linux:9::baseos"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 6",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "unknown",
"cpes": [
"cpe:/o:redhat:enterprise_linux:6"
]
},
{
"vendor": "Red Hat",
"product": "Red Hat Enterprise Linux 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "shadow-utils",
"defaultStatus": "unknown",
"cpes": [
"cpe:/o:redhat:enterprise_linux:7"
]
}
]Related
nessus
nessus
RHEL 7 : shadow-utils (Unpatched Vulnerability)
2024-05-11 00:00:00
EulerOS Virtualization 2.10.1 : shadow (EulerOS-SA-2023-3512)
2024-01-16 00:00:00
EulerOS 2.0 SP10 : shadow (EulerOS-SA-2023-3231)
2024-01-16 00:00:00
redhat
redhat
(RHSA-2023:6632) Low: shadow-utils security and bug fix update
2023-11-07 06:10:41
(RHSA-2024:0417) Low: shadow-utils security update
2024-01-24 14:40:25
(RHSA-2024:2577) Low: shadow-utils security update
2024-04-30 14:00:10
openvas
openvas
Huawei EulerOS: Security Advisory for shadow (EulerOS-SA-2023-3484)
2023-12-22 00:00:00
Huawei EulerOS: Security Advisory for shadow (EulerOS-SA-2023-3196)
2023-11-10 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:4025-1)
2023-10-11 00:00:00
redhatcve
redhatcve
CVE-2023-4641
2023-08-30 17:46:42
veracode
veracode
Information Disclosure
2023-10-30 10:18:25
osv
osv
Low: shadow-utils security and bug fix update
2023-11-07 00:00:00
CVE-2023-4641
2023-12-27 16:15:13
shadow vulnerability
2024-02-15 18:05:16
amazon
amazon
Low: shadow-utils
2023-09-13 23:44:00
Low: shadow-utils
2023-10-30 23:31:00
ubuntu
ubuntu
shadow vulnerability
2024-02-15 00:00:00
redos
redos
ROS-20240409-07
2024-04-09 00:00:00
prion
prion
Default credentials
2023-12-27 16:15:00
mageia
mageia
Updated shadow-utils packages fix a security vulnerability
2023-10-23 00:04:51
oraclelinux
oraclelinux
shadow-utils security and bug fix update
2023-11-17 00:00:00
shadow-utils security and bug fix update
2023-11-11 00:00:00
ubuntucve
ubuntucve
CVE-2023-4641
2023-12-27 00:00:00
nvd
nvd
CVE-2023-4641
2023-12-27 16:15:13
cve
cve
CVE-2023-4641
2023-12-27 16:15:13
debiancve
debiancve
CVE-2023-4641
2023-12-27 16:15:13
almalinux
almalinux
Low: shadow-utils security and bug fix update
2023-11-14 00:00:00
Low: shadow-utils security and bug fix update
2023-11-07 00:00:00
photon
photon
Moderate Photon OS Security Update - PHSA-2023-4.0-0536
2023-12-28 00:00:00
Moderate Photon OS Security Update - PHSA-2023-3.0-0705
2023-12-28 00:00:00
Moderate Photon OS Security Update - PHSA-2024-5.0-0182
2024-01-02 00:00:00
ibm
ibm
oracle
oracle
Oracle Critical Patch Update Advisory - April 2024
2024-04-16 00:00:00
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
6.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.2%
Related for CVELIST:CVE-2023-4641