Gentoo FoundationGLSA-200512-02Webmin, Usermin: Format string vulnerability
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.04 Low
EPSS
Percentile
91.9%
Background
Webmin is a web-based interface for Unix-like systems. Usermin is a simplified version of Webmin designed for use by normal users rather than system administrators.
Description
Jack Louis discovered that the Webmin and Usermin βminiserv.plβ web server component is vulnerable to a Perl format string vulnerability. Login with the supplied username is logged via the Perl βsyslogβ facility in an unsafe manner.
Impact
A remote attacker can trigger this vulnerability via a specially crafted username containing format string data. This can be exploited to consume a large amount of CPU and memory resources on a vulnerable system, and possibly to execute arbitrary code of the attackerβs choice with the permissions of the user running Webmin.
Workaround
There is no known workaround at this time.
Resolution
All Webmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.250"
All Usermin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/usermin-1.180"
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Gentoo | any | all | app-admin/webmin | <Β 1.250 | UNKNOWN |
| Gentoo | any | all | app-admin/usermin | <Β 1.180 | UNKNOWN |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.04 Low
EPSS
Percentile
91.9%