5.5

CVE-2023-4641

Shadow-utils: possible password leak during passwd(1) change

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.168
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
secalert@redhat.com 4.7 1 3.6
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-303 Incorrect Implementation of Authentication Algorithm

The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

https://access.redhat.com/errata/RHSA-2023:6632
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7112
Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0417
https://access.redhat.com/errata/RHSA-2024:2577
https://access.redhat.com/security/cve/CVE-2023-4641
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2215945
Issue Tracking
https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html