CVE-2017-12424Improper Restriction of Operations within the Bounds of a Memory Buffer in Project Shadow

CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferCWE-120Classic Buffer Overflow11 documents9 sources
Severity
9.8CRITICALNVD
EPSS
0.6%
top 30.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Shadow Project ShadowDebian LinuxPaloalto Pan-os
Timeline
PublishedAug 4
Latest updateNov 1

Description

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

Debianshadow_project/shadow< 1:4.5-1+3
Ubuntushadow_project/shadow< 1:4.5-1ubuntu2.2+2
Palo Altopaloalto/pan-os

Also affects: Debian Linux 9.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
GHSA
GHSA-mmpg-c26w-2pfg: In shadow before 42022-05-13
OSV
shadow vulnerabilities2022-01-27
OSV
CVE-2017-12424: In shadow before 42017-08-04
CVEList
CVE-2017-12424: In shadow before 42017-08-04

📋Vendor Advisories

4
Palo Alto
PAN-SA-2024-0013 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-11-01
Ubuntu
shadow vulnerabilities2022-01-27
Red Hat
shadow-utils: Buffer overflow via newusers tool2017-03-31
Debian
CVE-2017-12424: shadow - In shadow before 4.5, the newusers tool could be made to manipulate internal dat...2017

💬Community

2
Bugzilla
CVE-2017-12424 shadow-utils: Buffer overflow via newusers tool [fedora-all]2017-09-15
Bugzilla
CVE-2017-12424 shadow-utils: Buffer overflow via newusers tool2017-08-04
CVE-2017-12424 — Shadow Project Shadow vulnerability | cvebase