CVE-2017-2616 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 7%

Vendor	Product	Version
util-linux_project	util-linux	𝑥 < 2.32.1
debian	debian_linux	8.0
redhat	enterprise_linux_desktop	6.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	6.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.3
redhat	enterprise_linux_server_aus	7.4
redhat	enterprise_linux_server_eus	7.3
redhat	enterprise_linux_server_eus	7.4
redhat	enterprise_linux_server_eus	7.5
redhat	enterprise_linux_workstation	6.0
redhat	enterprise_linux_workstation	7.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

coreutils

bullseye	8.32-4 fixed
bookworm	9.1-1 fixed
sid	9.5-1 fixed
trixie	9.5-1 fixed

shadow

bullseye	1:4.8.1-1 fixed
bookworm	1:4.13+dfsg1-1 fixed
sid	1:4.16.0-4 fixed
trixie	1:4.16.0-4 fixed

util-linux

bullseye (security)	2.36.1-8+deb11u2 fixed
bullseye	2.36.1-8+deb11u2 fixed
bookworm	2.38.1-5+deb12u1 fixed
bookworm (security)	2.38.1-5+deb12u1 fixed
trixie	2.40.2-9 fixed
sid	2.40.2-10 fixed

Ubuntu Releases

Ubuntu Product

Codename

shadow

disco	Fixed 1:4.2-3.2ubuntu2 released
cosmic	Fixed 1:4.2-3.2ubuntu2 released
bionic	Fixed 1:4.2-3.2ubuntu2 released
artful	Fixed 1:4.2-3.2ubuntu2 released
zesty	Fixed 1:4.2-3.2ubuntu1.17.04.1 released
yakkety	Fixed 1:4.2-3.2ubuntu1.16.10.1 released
xenial	Fixed 1:4.2-3.1ubuntu5.2 released
trusty	Fixed 1:4.1.5.1-1ubuntu9.4 released
precise	ignored

util-linux

disco	not-affected
cosmic	not-affected
bionic	not-affected
artful	ignored
zesty	ignored
yakkety	ignored
xenial	not-affected
trusty	not-affected
precise	ignored

Common Weakness Enumeration

CWE-267 - Privilege Defined With Unsafe Actions
A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References

http://rhn.redhat.com/errata/RHSA-2017-0654.html

http://www.securityfocus.com/bid/96404

http://www.securitytracker.com/id/1038271

https://access.redhat.com/errata/RHSA-2017:0907

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2616

https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891

https://security.gentoo.org/glsa/201706-02

https://www.debian.org/security/2017/dsa-3793

http://rhn.redhat.com/errata/RHSA-2017-0654.html

http://www.securityfocus.com/bid/96404

http://www.securitytracker.com/id/1038271

https://access.redhat.com/errata/RHSA-2017:0907

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2616

https://github.com/karelzak/util-linux/commit/dffab154d29a288aa171ff50263ecc8f2e14a891

https://security.gentoo.org/glsa/201706-02

https://www.debian.org/security/2017/dsa-3793