Shadow Debian Shadow

Do you want an email whenever new security vulnerabilities are reported in Debian Shadow?

By the Year

In 2022 there have been 0 vulnerabilities in Debian Shadow . Last year Shadow had 1 security vulnerability published. Right now, Shadow is on track to have less security vulnerabilities in 2022 than it did last year.

Year Vulnerabilities Average Score
2022 0 0.00
2021 1 7.80
2020 0 0.00
2019 2 6.25
2018 0 0.00

It may take a day or so for new Shadow vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Debian Shadow Security Vulnerabilities

The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty

CVE-2017-20002 7.8 - High - March 17, 2021

The Debian shadow package before 1:4.5-1 for Shadow incorrectly lists pts/0 and pts/1 as physical terminals in /etc/securetty. This allows local users to login as password-less users even if they are connected by non-physical means such as SSH (hence bypassing PAM's nullok_secure configuration). This notably affects environments such as virtual machines automatically generated with a default blank root password, allowing all local users to escalate privileges.

Improper Privilege Management

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

CVE-2013-4235 4.7 - Medium - December 03, 2019

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

TOCTTOU

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program"

CVE-2005-4890 7.8 - High - November 04, 2019

There is a possible tty hijacking in shadow 4.x before 4.1.5 and sudo 1.x before 1.7.4 via "su - user -c program". The user session can be escaped to the parent session by using the TIOCSTI ioctl to push characters into the input buffer to be read by the next process.

Improper Input Validation

useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly

CVE-2006-1174 - May 28, 2006

useradd in shadow-utils before 4.0.3, and possibly other versions before 4.0.8, does not provide a required argument to the open function when creating a new user mailbox, which causes the mailbox to be created with unpredictable permissions and possibly allows attackers to read or modify the mailbox.

Permissions, Privileges, and Access Controls

The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might

CVE-2006-1844 - April 19, 2006

The Debian installer for the (1) shadow 4.0.14 and (2) base-config 2.53.10 packages includes sensitive information in world-readable log files, including preseeded passwords and pppoeconf passwords, which might allow local users to gain privileges.

Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5

CVE-2004-1001 - March 01, 2005

Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled.

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Debian Shadow or by Debian? Click the Watch button to subscribe.

Debian
Vendor

Debian Shadow
Product

subscribe