CVE-2023-4641
27.12.2023, 16:15
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.Enginsight
| Vendor | Product | Version |
|---|---|---|
| shadow-maint | shadow-utils | 𝑥 < 4.14.0 |
| redhat | codeready_linux_builder | 8.0 |
| redhat | codeready_linux_builder | 9.0 |
| redhat | codeready_linux_builder_for_arm64 | 8.0_aarch64:_aarch64 |
| redhat | codeready_linux_builder_for_arm64 | 9.0_aarch64:_aarch64 |
| redhat | codeready_linux_builder_for_ibm_z_systems | 8.0_s390x:_s390x |
| redhat | codeready_linux_builder_for_ibm_z_systems | 9.0_s390x:_s390x |
| redhat | codeready_linux_builder_for_power_little_endian | 8.0_ppc64le:_ppc64le |
| redhat | codeready_linux_builder_for_power_little_endian | 9.0_ppc64le:_ppc64le |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux_for_arm_64 | 8.0 |
| redhat | enterprise_linux_for_arm_64 | 9.0 |
| redhat | enterprise_linux_for_ibm_z_systems | 8.0_s390x:_s390x |
| redhat | enterprise_linux_for_ibm_z_systems | 9.0_s390x:_s390x |
| redhat | enterprise_linux_for_power_little_endian | 8.0_ppc64le:_ppc64le |
| redhat | enterprise_linux_for_power_little_endian | 9.0_ppc64le:_ppc64le |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| shadow |
|
Common Weakness Enumeration
- CWE-303 - Incorrect Implementation of Authentication AlgorithmThe requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
- CWE-287 - Improper AuthenticationWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
References