3.3 Low
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.0004 Low
EPSS
Percentile
15.6%
In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that “cat /etc/passwd” shows a rogue user account.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | shadow | <= 1:4.13+dfsg1-1 | shadow_1:4.13+dfsg1-1_all.deb |
Debian | 11 | all | shadow | <= 1:4.8.1-1 | shadow_1:4.8.1-1_all.deb |
Debian | 10 | all | shadow | <= 1:4.5-1.1 | shadow_1:4.5-1.1_all.deb |
Debian | 999 | all | shadow | < 1:4.13+dfsg1-2 | shadow_1:4.13+dfsg1-2_all.deb |
Debian | 13 | all | shadow | < 1:4.13+dfsg1-2 | shadow_1:4.13+dfsg1-2_all.deb |