CVE-2015-3245

CVSS V2 Low 2.1 CVSS V3 None
Description
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
Overview
  • CVE ID
  • CVE-2015-3245
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2015-08-11T14:59:05
  • Last Modified Date
  • 2023-02-13T00:48:56
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:redhat:libuser:*:*:*:*:*:*:*:* 1 OR 0.56.13-5
cpe:2.3:a:redhat:libuser:0.60-1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:libuser:0.60-2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:libuser:0.60-3:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:libuser:0.60-4:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:libuser:0.60-5:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:redhat:libuser:0.60-6:*:*:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:L/AC:L/Au:N/C:N/I:N/A:P
  • Access Vector
  • LOCAL
  • Access Compatibility
  • LOW
  • Authentication
  • NONE
  • Confidentiality Impact
  • NONE
  • Integrity Impact
  • NONE
  • Availability Impact
  • PARTIAL
  • Base Score
  • 2.1
  • Severity
  • LOW
  • Exploitability Score
  • 3.9
  • Impact Score
  • 2.9
History
Created Old Value New Value Data Type Notes
2022-05-10 18:43:23 Added to TrackCVE
2022-12-02 05:49:39 2015-08-11T14:59Z 2015-08-11T14:59:05 CVE Published Date updated
2022-12-02 05:49:39 2018-05-20T01:29:00 CVE Modified Date updated
2022-12-02 05:49:39 Modified Vulnerability Status updated
2023-02-02 21:05:05 2023-02-02T20:20:27 CVE Modified Date updated
2023-02-02 21:05:05 Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field. It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system. Description updated
2023-02-02 21:05:12 References updated
2023-02-13 01:06:00 2023-02-13T00:48:56 CVE Modified Date updated
2023-02-13 01:06:01 It was found that libuser, as used by the chfn userhelper functionality, did not properly filter out newline characters in GECOS fields. A local, authenticated user could use this flaw to corrupt the /etc/passwd file, resulting in a denial-of-service on the system. Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field. Description updated