CVE-2019-19882 — Incorrect Permission Assignment in Project Shadow

CWE-732 — Incorrect Permission Assignment CWE-592 — DEPRECATED: Authentication Bypass Issues7 documents7 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 73.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Shadow Project Shadow

Timeline

PublishedDec 18

Latest updateMay 24

Description

shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, us…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶Debianshadow_project/shadow< 1:4.8.1-1+3

▶NVDshadow_project/shadow4.8

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-x9jp-6hm9-x2xg: shadow 4↗2022-05-24

▶

CVEList

CVE-2019-19882: shadow 4↗2019-12-18

▶

OSV

CVE-2019-19882: shadow 4↗2019-12-18

▶

📋Vendor Advisories

Red Hat

shadow-utils: local users can obtain root access because setuid programs are misconfigured↗2020-01-07

▶

Debian

CVE-2019-19882: shadow - shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and ...↗2019

▶

💬Community

Bugzilla

CVE-2019-19882 shadow-utils: local users can obtain root access because setuid programs are misconfigured↗2020-01-07

▶