CVE-2022-25327 — Incorrect Default Permissions in Google Fscrypt

CWE-255 CWE-276 — Incorrect Default Permissions9 documents5 sources

Severity

5.5MEDIUMNVD

EPSS

0.0%

top 98.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Google Fscrypt Github.com Google Fscrypt Google LLC Fscrypt

Timeline

PublishedFeb 25

Latest updateAug 21

Description

The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDgoogle/fscrypt< 0.3.3

▶Gogithub.com/google_fscrypt< 0.3.3

▶Debiangoogle/fscrypt< 0.3.3-1+2

▶CVEListV5google_llc/fscryptunspecified — 0.3.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

User login denial of service in github.com/google/fscrypt↗2024-08-21

▶

OSV

Denial of service via insufficient metadata validation↗2022-03-01

▶

GHSA

Denial of service via insufficient metadata validation↗2022-03-01

▶

GHSA

User login denial of service in github.com/google/fscrypt↗2022-02-26

▶

OSV

User login denial of service in github.com/google/fscrypt↗2022-02-26

▶

📋Vendor Advisories

Debian

CVE-2022-25327: fscrypt - The PAM module for fscrypt doesn't adequately validate fscrypt metadata files, a...↗2022

▶