Buffer overflow in shadow - CVE-2017-12424
Published: August 4, 2017 / Updated: July 28, 2020
Vulnerability identifier: #VU32061
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-12424
CWE-ID: CWE-119
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Mark Florian
Affected software:
shadow
shadow
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.
How to mitigate CVE-2017-12424
Install update from vendor's website.