Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2022-0563

Published: 21 February 2022

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Notes

AuthorNote
alexmurray
In Ubuntu chfn and chsh are not built from the util-linux source package but instead from the passwd package so are not affected by this vulnerability.

Priority

Medium

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
util-linux
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not compiled)
focal Not vulnerable
(code not compiled)
impish Not vulnerable
(code not compiled)
trusty Not vulnerable
(code not compiled)
upstream Needs triage

xenial Not vulnerable
(code not compiled)

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N