CVE-2022-0563

EUVD-2022-15682
A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
kernelutil-linux
𝑥
< 2.37.4
netappontap_select_deploy_administration_utility
-
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
util-linux
bookworm
unimportant
bookworm (security)
unimportant
bullseye
unimportant
bullseye (security)
unimportant
sid
unimportant
trixie
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
util-linux
bionic
not-affected
focal
not-affected
impish
not-affected
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
https://security.gentoo.org/glsa/202401-08
https://security.netapp.com/advisory/ntap-20220331-0002/
https://lore.kernel.org/util-linux/20220214110609.msiwlm457ngoic6w%40ws.net.home/T/#u
https://security.gentoo.org/glsa/202401-08
https://security.netapp.com/advisory/ntap-20220331-0002/