Fluid Attacks Database

Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	shadow	=1:4.13+dfsg1-1 \|\| >=0 <1:4.13+dfsg1-1+deb12u1	1:4.13+dfsg1-1+deb12u1
debian 11	shadow	=1:4.8.1-1 \|\| >=0 <1:4.8.1-1+deb11u1	1:4.8.1-1+deb11u1
debian 13	shadow	>=0 <1:4.13+dfsg1-2	1:4.13+dfsg1-2
debian 14	shadow	>=0 <1:4.13+dfsg1-2	1:4.13+dfsg1-2
rpm rhel6	shadow-utils	-	-
rpm rhel7	shadow-utils	-	-
rpm rhel8	shadow-utils	<2:4.6-19.el8	2:4.6-19.el8
rpm rhel8.6	shadow-utils	<2:4.6-17.el8_6	2:4.6-17.el8_6
rpm rhel8.8	shadow-utils	<2:4.6-17.el8_8.2	2:4.6-17.el8_8.2
rpm rhel9	shadow-utils	<2:4.9-8.el9	2:4.9-8.el9

Aliases

1. CVE-2023-46412. NVD-2023-46413. OSV-DEBIAN-2023-46414. OSV-2023-46415. SECURITY-TRACKER-CVE-2023-4641