opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that.
References
Link | Resource |
---|---|
https://bugs.debian.org/992058 | Exploit Mailing List Third Party Advisory |
https://github.com/artix-linux/opensysusers/releases | Release Notes Third Party Advisory |
https://bugs.debian.org/992058 | Exploit Mailing List Third Party Advisory |
https://github.com/artix-linux/opensysusers/releases | Release Notes Third Party Advisory |
Configurations
History
21 Nov 2024, 06:23
Type | Values Removed | Values Added |
---|---|---|
References | () https://bugs.debian.org/992058 - Exploit, Mailing List, Third Party Advisory | |
References | () https://github.com/artix-linux/opensysusers/releases - Release Notes, Third Party Advisory |
12 Jul 2022, 17:42
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-94 |
31 Aug 2021, 18:55
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-77 | |
CPE | cpe:2.3:a:artixlinux:opensysusers:*:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 7.5
v3 : 9.8 |
References | (MISC) https://github.com/artix-linux/opensysusers/releases - Release Notes, Third Party Advisory | |
References | (MISC) https://bugs.debian.org/992058 - Exploit, Mailing List, Third Party Advisory |
25 Aug 2021, 02:23
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-25 01:15
Updated : 2024-11-21 06:23
NVD link : CVE-2021-40084
Mitre link : CVE-2021-40084
CVE.ORG link : CVE-2021-40084
JSON object : View
Products Affected
artixlinux
- opensysusers
CWE
CWE-94
Improper Control of Generation of Code ('Code Injection')