Debian Shadow vulnerabilities

CVE-2024-56433 [LOW] CVE-2024-56433: shadow - shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid b... shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host res

CVE-2023-4641 [MEDIUM] CVE-2023-4641: shadow - A flaw was found in shadow-utils. When asking for a new password, shadow-utils a... A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory. Scope: local bookworm: resolved (fixed in 1:4.13+dfsg1-1+de

CVE-2023-29383 [LOW] CVE-2023-29383: shadow - In Shadow 4.13, it is possible to inject control characters into fields provided... In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around bl

CVE-2017-20002 [HIGH] CWE-269 CVE-2017-20002: The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical te The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machin

CVE-2005-4890 [HIGH] CWE-20 CVE-2005-4890: There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - use There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

CVE-2019-19882 [HIGH] CVE-2019-19882: shadow - shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and ... shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setu

CVE-2018-16588 [HIGH] CVE-2018-16588: shadow - Privilege escalation can occur in the SUSE useradd.c code in useradd, as distrib... Privilege escalation can occur in the SUSE useradd.c code in useradd, as distributed in the SUSE shadow package through 4.2.1-27.9.1 for SUSE Linux Enterprise 12 (SLE-12) and through 4.5-5.39 for SUSE Linux Enterprise 15 (SLE-15). Non-existing intermediate directories are created with mode 0777 during user creation. Given that they are world-writable, local attackers

CVE-2018-7169 [MEDIUM] CVE-2018-7169: shadow - An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and... An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx)

CVE-2017-12424 [CRITICAL] CVE-2017-12424: shadow - In shadow before 4.5, the newusers tool could be made to manipulate internal dat... In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows a

CVE-2017-2616 [MEDIUM] CVE-2017-2616: coreutils - A race condition was found in util-linux before 2.32.1 in the way su handled the... A race condition was found in util-linux before 2.32.1 in the way su handled the management of child processes. A local authenticated attacker could use this flaw to kill other processes with root privileges under specific conditions. Scope: local bookworm: resolved (fixed in 8.20-1) bullseye: resolved (fixed in 8.20-1) forky: resolved (fixed in 8.20-1) sid: resol

CVE-2016-6252 [HIGH] CVE-2016-6252: shadow - Integer overflow in shadow 4.2.1 allows local users to gain privileges via craft... Integer overflow in shadow 4.2.1 allows local users to gain privileges via crafted input to newuidmap. Scope: local bookworm: resolved (fixed in 1:4.4-1) bullseye: resolved (fixed in 1:4.4-1) forky: resolved (fixed in 1:4.4-1) sid: resolved (fixed in 1:4.4-1) trixie: resolved (fixed in 1:4.4-1)

CVE-2013-4235 [MEDIUM] CVE-2013-4235: shadow - shadow: TOCTOU (time-of-check time-of-use) race condition when copying and remov... shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees Scope: local bookworm: resolved (fixed in 1:4.12.3+dfsg1-1) bullseye: open forky: resolved (fixed in 1:4.12.3+dfsg1-1) sid: resolved (fixed in 1:4.12.3+dfsg1-1) trixie: resolved (fixed in 1:4.12.3+dfsg1-1)

CVE-2011-0721 [MEDIUM] CWE-20 CVE-2011-0721: Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.

CVE-2008-5394 [HIGH] CWE-59 CVE-2008-5394: /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows lo /bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.

CVE-2007-5686 [MEDIUM] CVE-2007-5686: shadow - initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp fil... initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers. Scope: local bookwor

CVE-2006-1174 [LOW] CWE-264 CVE-2006-1174: useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a r useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.

CVE-2006-1844 [LOW] CVE-2006-1844: The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensiti The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.

CVE-2006-3378 [HIGH] CVE-2006-3378: shadow - passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called with the -... passwd command in shadow in Ubuntu 5.04 through 6.06 LTS, when called with the -f, -g, or -s flag, does not check the return code of a setuid call, which might allow local users to gain root privileges if setuid fails in cases such as PAM failures or resource limits. Scope: local bookworm: resolved (fixed in 1:4.0.14-1) bullseye: resolved (fixed in 1:4.0.14-1) forky: r

CVE-2006-1376 [LOW] CVE-2006-1376: shadow - The installation of Debian GNU/Linux 3.1r1 from the network install CD creates /... The installation of Debian GNU/Linux 3.1r1 from the network install CD creates /var/log/debian-installer/cdebconf with world writable permissions, which allows local users to cause a denial of service (disk consumption). Scope: local bookworm: resolved (fixed in 1:4.0.14-9) bullseye: resolved (fixed in 1:4.0.14-9) forky: resolved (fixed in 1:4.0.14-9) sid: resolved (fix

CVE-2006-1183 [HIGH] CVE-2006-1183: shadow - The Ubuntu 5.10 installer does not properly clear passwords from the installer l... The Ubuntu 5.10 installer does not properly clear passwords from the installer log file (questions.dat), and leaves the log file with world-readable permissions, which allows local users to gain privileges. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved