CVE-2017-12424

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
shadow_projectshadow
𝑥
< 4.5
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
shadow
bullseye
1:4.8.1-1
fixed
jessie
no-dsa
wheezy
no-dsa
bookworm
1:4.13+dfsg1-1
fixed
sid
1:4.16.0-4
fixed
trixie
1:4.16.0-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
shadow
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
not-affected
focal
not-affected
eoan
not-affected
disco
not-affected
cosmic
not-affected
bionic
not-affected
artful
ignored
zesty
ignored
xenial
Fixed 1:4.2-3.1ubuntu5.5+esm1
released
trusty
Fixed 1:4.1.5.1-1ubuntu9.5+esm1
released
Common Weakness Enumeration
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675
https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html
https://security.gentoo.org/glsa/201710-16
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675
https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html
https://security.gentoo.org/glsa/201710-16