← Back to CVEs

CVE-2017-12424

CRITICAL

9.8

Description

In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published8/4/2017

Last Modified4/20/2025

Sourcenvd

Honeypot Sightings0

Affected Products

debian:debian_linuxshadow_project:shadow

Weaknesses (CWE)

CWE-119

References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630(cve@mitre.org)

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675(cve@mitre.org)

https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952(cve@mitre.org)

https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html(cve@mitre.org)

https://security.gentoo.org/glsa/201710-16(cve@mitre.org)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630(af854a3a-2127-422b-91ae-364da2661108)

https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html(af854a3a-2127-422b-91ae-364da2661108)

https://security.gentoo.org/glsa/201710-16(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.