CVE-2017-20002

The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
debianshadow
4.4
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
shadow
bullseye
1:4.8.1-1
fixed
bookworm
1:4.13+dfsg1-1
fixed
sid
1:4.16.0-4
fixed
trixie
1:4.16.0-4
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
shadow
groovy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877374
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914957
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=877374
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914957
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html