CVE-2017-1000082
CWE-269 — Improper Privilege ManagementCWE-20 — Improper Input ValidationCWE-44011 documents8 sources
Severity
9.8CRITICAL
EPSS
0.3%
top 50.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 7
Latest updateMay 13
Description
systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e.g. "0day"), running the service in question with root privileges rather than the user intended.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9
Affected Packages2 packages
Patches
🔴Vulnerability Details
3GHSA▶
GHSA-pp67-7cmm-9pp7: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e↗2022-05-13
CVEList▶
CVE-2017-1000082: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e↗2017-07-07
OSV▶
CVE-2017-1000082: systemd v233 and earlier fails to safely parse usernames starting with a numeric digit (e↗2017-07-07
📋Vendor Advisories
4Microsoft▶
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits as demonstrated by use of root privileges when privileges of the 0x0 user accou↗2020-06-09
Red Hat▶
systemd: Mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits↗2020-05-31
Debian▶
CVE-2017-1000082: systemd - systemd v233 and earlier fails to safely parse usernames starting with a numeric...↗2017
💬Community
3Bugzilla▶
CVE-2020-13776 systemd: Mishandles numerical usernames beginning with decimal digits or 0x followed by hexadecimal digits↗2020-06-09
Bugzilla
▶