CVE-2017-12424 — CRITICAL (9.8)

Q: How severe is CVE-2017-12424?

CVE-2017-12424 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-12424?

Check the references section above for vendor advisories and patch information. Affected products include: Shadow Project Shadow, Debian Debian Linux.

Vulnerability Description

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Shadow Project	Shadow	< 4.5
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-119

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630Issue TrackingThird Party Advisory
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675Issue TrackingThird Party Advisory
https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201710-16Third Party Advisory
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630Issue TrackingThird Party Advisory
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675Issue TrackingThird Party Advisory
https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818PatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00020.htmlMailing ListThird Party Advisory
https://security.gentoo.org/glsa/201710-16Third Party Advisory

FAQ

What is CVE-2017-12424?

CVE-2017-12424 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other mem...

How severe is CVE-2017-12424?

CVE-2017-12424 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-12424?

Check the references section above for vendor advisories and patch information. Affected products include: Shadow Project Shadow, Debian Debian Linux.