Improper Authentication Affecting shadow package, versions <1:4.2-3.1ubuntu5.5+esm4


Severity

Recommended
low

Based on Ubuntu security rating.

Threat Intelligence

EPSS
0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improper Authentication vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-UBUNTU1604-SHADOW-5879191
  • published6 Feb 2024
  • disclosed27 Dec 2023

Introduced: 27 Dec 2023

CVE-2023-4641  (opens in a new tab)
CWE-287  (opens in a new tab)

How to fix?

Upgrade Ubuntu:16.04 shadow to version 1:4.2-3.1ubuntu5.5+esm4 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:16.04 relevant fixed versions and status.

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

CVSS Scores

version 3.1