CVE-2023-4641 — MEDIUM (4.7)

Q: How severe is CVE-2023-4641?

CVE-2023-4641 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-4641?

Check the references section above for vendor advisories and patch information. Affected products include: Shadow-Maint Shadow-Utils, Redhat Codeready Linux Builder, Redhat Codeready Linux Builder For Arm64, Redhat Codeready Linux Builder For Ibm Z Systems, Redhat Codeready Linux Builder For Power Little Endian.

Vulnerability Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

CVSS Score

4.7

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Shadow-Maint	Shadow-Utils	< 4.14.0
Redhat	Codeready Linux Builder	8.0
Redhat	Codeready Linux Builder For Arm64	8.0_aarch64
Redhat	Codeready Linux Builder For Ibm Z Systems	8.0_s390x
Redhat	Codeready Linux Builder For Power Little Endian	8.0_ppc64le
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux For Arm 64	8.0
Redhat	Enterprise Linux For Ibm Z Systems	8.0_s390x
Redhat	Enterprise Linux For Power Little Endian	8.0_ppc64le

Related Weaknesses (CWE)

CWE-287 CWE-303

References

https://access.redhat.com/errata/RHSA-2023:6632Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7112Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0417
https://access.redhat.com/errata/RHSA-2024:2577
https://access.redhat.com/security/cve/CVE-2023-4641Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2215945Issue Tracking
https://access.redhat.com/errata/RHSA-2023:6632Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7112Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0417
https://access.redhat.com/errata/RHSA-2024:2577
https://access.redhat.com/security/cve/CVE-2023-4641Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2215945Issue Tracking
https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html

FAQ

What is CVE-2023-4641?

CVE-2023-4641 is a vulnerability with a CVSS score of 4.7 (MEDIUM). A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to s...

How severe is CVE-2023-4641?

CVE-2023-4641 has been rated MEDIUM with a CVSS base score of 4.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-4641?

Check the references section above for vendor advisories and patch information. Affected products include: Shadow-Maint Shadow-Utils, Redhat Codeready Linux Builder, Redhat Codeready Linux Builder For Arm64, Redhat Codeready Linux Builder For Ibm Z Systems, Redhat Codeready Linux Builder For Power Little Endian.