CVE-2023-4641
4.7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
4.14.0-rc1 < * | unaffected | ||
| Red Hat | Red Hat Enterprise Linux 8 | 2:4.6-19.el8 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.6 Extended Update Support | 2:4.6-17.el8_6 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.8 Extended Update Support | 2:4.6-17.el8_8.2 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 2:4.9-8.el9 < * | unaffected |
Weaknesses
- CWE-303: Incorrect Implementation of Authentication Algorithm
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2023:6632
- https://access.redhat.com/errata/RHSA-2023:7112
- https://access.redhat.com/errata/RHSA-2024:0417
- https://access.redhat.com/errata/RHSA-2024:2577
- https://access.redhat.com/security/cve/CVE-2023-4641
- https://bugzilla.redhat.com/show_bug.cgi?id=2215945
- https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://access.redhat.com/errata/RHSA-2023:6632
- https://access.redhat.com/errata/RHSA-2023:7112
- https://access.redhat.com/errata/RHSA-2024:0417
- https://access.redhat.com/errata/RHSA-2024:2577
- https://access.redhat.com/security/cve/CVE-2023-4641
- https://bugzilla.redhat.com/show_bug.cgi?id=2215945
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.