Main Vulnerability Database SB2023101027

SB2023101027 - SUSE update for shadow

Published: October 10, 2023

Security Bulletin ID SB2023101027

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2023-4641)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to an error in gpasswd(1), which fails to clean memory properly. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. A local user with enough access can retrieve the password from the memory.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2023/suse-su-20234027-1/