CVE-2017-2616

CWE-267 CWE-362 — Race Condition CWE-444 — HTTP Request Smuggling16 documents9 sources

Severity

4.7MEDIUM

EPSS

0.1%

top 80.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Util-linux Project Util-linux Linux Util-linux Debian Debian Linux +5 more

Timeline

PublishedJul 27

Latest updateMay 13

Description

A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages9 packages

▶NVDutil-linux_project/util-linux< 2.32.1

▶Debianutil-linux< 2.29.2-1+3

▶CVEListV5linux/util-linux2.32.1

▶Debiancoreutils< 8.20-1+3

▶NVDredhat/enterprise_linux_server6.0, 7.0+1

Also affects: Debian Linux 8.0, Enterprise Linux 7.3, 7.4, 7.5

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-qmwq-wgvm-pcqr: A race condition was found in util-linux before 2↗2022-05-13

▶

GHSA

Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)↗2018-10-19

▶

OSV

CVE-2017-2616: A race condition was found in util-linux before 2↗2018-07-27

▶

CVEList

CVE-2017-2616: A race condition was found in util-linux before 2↗2018-07-27

▶

OSV

shadow regression↗2017-05-17

▶

📋Vendor Advisories

Red Hat

jetty: Incorrect header handling↗2018-06-07

▶

Ubuntu

shadow vulnerability↗2017-11-14

▶

Ubuntu

shadow vulnerabilities↗2017-05-05

▶

Red Hat

util-linux: Sending SIGKILL to other processes with root privileges via su↗2017-02-22

▶

Debian

CVE-2017-2616: coreutils - A race condition was found in util-linux before 2.32.1 in the way su handled the...↗2017

▶

💬Community

Bugzilla

CVE-2017-7658 jetty: Incorrect header handling↗2018-06-27

▶

Bugzilla

CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su [fedora-all]↗2017-02-22

▶

Bugzilla

CVE-2017-2616 shadow-utils: util-linux: Sending SIGKILL to other processes with root privileges via su [fedora-all]↗2017-02-22

▶

Bugzilla

CVE-2017-2616 util-linux: Sending SIGKILL to other processes with root privileges via su↗2017-02-02

▶