CVSS: 7.2EPSS: 0%CPEs: 7EXPL: 3CVE-2015-3246 – Libuser Library - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-3246
libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, directly modifies /etc/passwd, which allows local users to cause a denial of service (inconsistent file state) by causing an error during the modification. NOTE: this issue can be combined with CVE-2015-3245 to gain privileges. Vulnerabilidad en libuser en versiones anteriores 0.56.13-8 y 0.60 en versiones anteriores a 0.60.7, tal como se utiliza en el programa userhelper en el paquete usermode, modifica directamente /etc/passwd, lo que permite a usuarios locales provocar una denegación de servicio (estado de archivo inconsistente) causando un error durante la modificación. NOTA: este problema se puede combinar con CVE-2015-3245 para obtener privilegios. A flaw was found in the way the libuser library handled the /etc/passwd file. • https://www.exploit-db.com/exploits/37706 https://www.exploit-db.com/exploits/44633 http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.html http://lists.opensuse.org/opensuse-security-announce/2015-08/msg00000.html http://rhn.redhat.com/errata/RHSA-2015-1482.html http://rhn.redhat.com/errata/RHSA-2015-1483.html http://www.securityfocus.com/bid/76022 http://www.securitytracker.com/ • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 2.1EPSS: 0%CPEs: 7EXPL: 3CVE-2015-3245 – Libuser Library - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-3245
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field. Vulnerabilidad de lista negra incompleta en la función chfn en libuser en versiones anteriores a 0.56.13-8 y 0.60 en versiones anteriores a 0.60-7, tal como se utiliza en el programa userhelp en el paquete usermode, permite a usuarios locales provocar una denegación de servicio (/etc/passwd corruption) a través de un caracter de nueva línea en el campo GECOS. It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system. • https://www.exploit-db.com/exploits/37706 https://www.exploit-db.com/exploits/44633 http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163044.html http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162947.html http://rhn.redhat.com/errata/RHSA-2015-1482.html http://rhn.redhat.com/errata/RHSA-2015-1483.html http://www.securityfocus.com/bid/76021 http://www.securitytracker.com/id/1033040 https://access.redhat.com/articles/1537873 https://www.qu • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 6.4EPSS: 0%CPEs: 104EXPL: 1CVE-2011-0002 – libuser creates LDAP users with a default password
https://notcve.org/view.php?id=CVE-2011-0002
libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values. libuser en versiones anteriores a la 0.57 usa la contraseña en texto claro (1) !! o (2) x para cuentas de usuario LDAP nuevas, lo que facilita a atacantes remotos obtener acceso especificando uno de estos valores. • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053365.html http://lists.fedoraproject.org/pipermail/package-announce/2011-January/053378.html http://secunia.com/advisories/42891 http://secunia.com/advisories/42966 http://secunia.com/advisories/43047 http://securitytracker.com/id?1024960 http://www.mandriva.com/security/advisories?name=MDVSA-2011:019 http://www.osvdb.org/70421 http://www.redhat.com/suppor • CWE-310: Cryptographic Issues •