Vulnerabilities

 27 via 52 paths

Dependencies

 92

Source

 Group 6 Copy Created with Sketch. Docker

Target OS

 ubuntu:20.04
Test your Docker Hub image against our market leading vulnerability database Sign up for free
Severity
  • 1
  • 12
  • 14
Status
  • 27
  • 0
  • 0

high severity

Out-of-bounds Write

  • Vulnerable module: gnupg2/gpgv
  • Introduced through: gnupg2/gpgv@2.2.19-3ubuntu2.4
  • Fixed in: 2.2.19-3ubuntu2.5+esm1

Detailed paths

  • Introduced through: ubuntu@focal gnupg2/gpgv@2.2.19-3ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

Remediation

Upgrade Ubuntu:20.04 gnupg2 to version 2.2.19-3ubuntu2.5+esm1 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

Double Free

  • Vulnerable module: gnutls28/libgnutls30
  • Introduced through: gnutls28/libgnutls30@3.6.13-2ubuntu1.12
  • Fixed in: 3.6.13-2ubuntu1.12+esm1

Detailed paths

  • Introduced through: ubuntu@focal gnutls28/libgnutls30@3.6.13-2ubuntu1.12

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure.

This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

Double Free vulnerability report

medium severity

Heap-based Buffer Overflow

  • Vulnerable module: gnutls28/libgnutls30
  • Introduced through: gnutls28/libgnutls30@3.6.13-2ubuntu1.12
  • Fixed in: 3.6.13-2ubuntu1.12+esm1

Detailed paths

  • Introduced through: ubuntu@focal gnutls28/libgnutls30@3.6.13-2ubuntu1.12

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

Heap-based Buffer Overflow vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: pam/libpam-modules
  • Introduced through: pam/libpam-modules@1.3.1-5ubuntu4.7, pam/libpam-modules-bin@1.3.1-5ubuntu4.7 and others

Detailed paths

  • Introduced through: ubuntu@focal pam/libpam-modules@1.3.1-5ubuntu4.7
  • Introduced through: ubuntu@focal pam/libpam-modules-bin@1.3.1-5ubuntu4.7
  • Introduced through: ubuntu@focal pam/libpam-runtime@1.3.1-5ubuntu4.7
  • Introduced through: ubuntu@focal pam/libpam0g@1.3.1-5ubuntu4.7

NVD Description

Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

Remediation

There is no fixed version for Ubuntu:20.04 pam.

References

Directory Traversal vulnerability report

medium severity

NULL Pointer Dereference

  • Vulnerable module: gnutls28/libgnutls30
  • Introduced through: gnutls28/libgnutls30@3.6.13-2ubuntu1.12
  • Fixed in: 3.6.13-2ubuntu1.12+esm1

Detailed paths

  • Introduced through: ubuntu@focal gnutls28/libgnutls30@3.6.13-2ubuntu1.12

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnutls28 package and not the gnutls28 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

Remediation

Upgrade Ubuntu:20.04 gnutls28 to version 3.6.13-2ubuntu1.12+esm1 or higher.

References

NULL Pointer Dereference vulnerability report

medium severity

Improper Verification of Cryptographic Signature

  • Vulnerable module: gnupg2/gpgv
  • Introduced through: gnupg2/gpgv@2.2.19-3ubuntu2.4

Detailed paths

  • Introduced through: ubuntu@focal gnupg2/gpgv@2.2.19-3ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

Remediation

There is no fixed version for Ubuntu:20.04 gnupg2.

References

Improper Verification of Cryptographic Signature vulnerability report

medium severity

Race Condition

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@245.4-4ubuntu3.24 and systemd/libudev1@245.4-4ubuntu3.24
  • Fixed in: 245.4-4ubuntu3.24+esm1

Detailed paths

  • Introduced through: ubuntu@focal systemd/libsystemd0@245.4-4ubuntu3.24
  • Introduced through: ubuntu@focal systemd/libudev1@245.4-4ubuntu3.24

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such as /etc/shadow content, loaded by the original process.

A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

Remediation

Upgrade Ubuntu:20.04 systemd to version 245.4-4ubuntu3.24+esm1 or higher.

References

Race Condition vulnerability report

medium severity
new

CVE-2025-15281

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17
  • Fixed in: 2.31-0ubuntu9.18+esm1

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

CVE-2025-15281 vulnerability report

medium severity

CVE-2025-4802

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17
  • Fixed in: 2.31-0ubuntu9.18

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or calls to NSS functions such as getaddrinfo).

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18 or higher.

References

CVE-2025-4802 vulnerability report

medium severity

CVE-2025-8058

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17
  • Fixed in: 2.31-0ubuntu9.18+esm1

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

CVE-2025-8058 vulnerability report

medium severity

CVE-2026-0861

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17
  • Fixed in: 2.31-0ubuntu9.18+esm1

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

CVE-2026-0861 vulnerability report

medium severity
new

CVE-2026-0915

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17
  • Fixed in: 2.31-0ubuntu9.18+esm1

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

Remediation

Upgrade Ubuntu:20.04 glibc to version 2.31-0ubuntu9.18+esm1 or higher.

References

CVE-2026-0915 vulnerability report

medium severity

Directory Traversal

  • Vulnerable module: tar
  • Introduced through: tar@1.30+dfsg-7ubuntu0.20.04.4

Detailed paths

  • Introduced through: ubuntu@focal tar@1.30+dfsg-7ubuntu0.20.04.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

Remediation

There is no fixed version for Ubuntu:20.04 tar.

References

Directory Traversal vulnerability report

low severity

Use After Free

  • Vulnerable module: glibc/libc-bin
  • Introduced through: glibc/libc-bin@2.31-0ubuntu9.17 and glibc/libc6@2.31-0ubuntu9.17

Detailed paths

  • Introduced through: ubuntu@focal glibc/libc-bin@2.31-0ubuntu9.17
  • Introduced through: ubuntu@focal glibc/libc6@2.31-0ubuntu9.17

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.

Remediation

There is no fixed version for Ubuntu:20.04 glibc.

References

Use After Free vulnerability report

low severity

CVE-2023-26604

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@245.4-4ubuntu3.24 and systemd/libudev1@245.4-4ubuntu3.24

Detailed paths

  • Introduced through: ubuntu@focal systemd/libsystemd0@245.4-4ubuntu3.24
  • Introduced through: ubuntu@focal systemd/libudev1@245.4-4ubuntu3.24

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

systemd before 247 does not adequately block local privilege escalation for some Sudo configurations, e.g., plausible sudoers files in which the "systemctl status" command may be executed. Specifically, systemd does not set LESSSECURE to 1, and thus other programs may be launched from the less program. This presents a substantial security risk when running systemctl from Sudo, because less executes as root when the terminal size is too small to show the complete systemctl output.

Remediation

There is no fixed version for Ubuntu:20.04 systemd.

References

CVE-2023-26604 vulnerability report

low severity

Integer Overflow or Wraparound

  • Vulnerable module: pcre2/libpcre2-8-0
  • Introduced through: pcre2/libpcre2-8-0@10.34-7ubuntu0.1

Detailed paths

  • Introduced through: ubuntu@focal pcre2/libpcre2-8-0@10.34-7ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre2 package and not the pcre2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Integer overflow vulnerability in pcre2test before 10.41 allows attackers to cause a denial of service or other unspecified impacts via negative input.

Remediation

There is no fixed version for Ubuntu:20.04 pcre2.

References

Integer Overflow or Wraparound vulnerability report

low severity

Uncontrolled Recursion

  • Vulnerable module: pcre3/libpcre3
  • Introduced through: pcre3/libpcre3@2:8.39-12ubuntu0.1

Detailed paths

  • Introduced through: ubuntu@focal pcre3/libpcre3@2:8.39-12ubuntu0.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream pcre3 package and not the pcre3 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.

Remediation

There is no fixed version for Ubuntu:20.04 pcre3.

References

Uncontrolled Recursion vulnerability report

low severity

Improper Input Validation

  • Vulnerable module: coreutils
  • Introduced through: coreutils@8.30-3ubuntu2

Detailed paths

  • Introduced through: ubuntu@focal coreutils@8.30-3ubuntu2

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

Remediation

There is no fixed version for Ubuntu:20.04 coreutils.

References

Improper Input Validation vulnerability report

low severity

CVE-2023-50495

  • Vulnerable module: ncurses/libncurses6
  • Introduced through: ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/libncursesw6@6.2-0ubuntu2.1 and others

Detailed paths

  • Introduced through: ubuntu@focal ncurses/libncurses6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/libncursesw6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/libtinfo6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/ncurses-base@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/ncurses-bin@6.2-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

NCurse v6.4-20230418 was discovered to contain a segmentation fault via the component _nc_wrap_entry().

Remediation

There is no fixed version for Ubuntu:20.04 ncurses.

References

CVE-2023-50495 vulnerability report

low severity

CVE-2023-7008

  • Vulnerable module: systemd/libsystemd0
  • Introduced through: systemd/libsystemd0@245.4-4ubuntu3.24 and systemd/libudev1@245.4-4ubuntu3.24

Detailed paths

  • Introduced through: ubuntu@focal systemd/libsystemd0@245.4-4ubuntu3.24
  • Introduced through: ubuntu@focal systemd/libudev1@245.4-4ubuntu3.24

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A vulnerability was found in systemd-resolved. This issue may allow systemd-resolved to accept records of DNSSEC-signed domains even when they have no signature, allowing man-in-the-middles (or the upstream DNS resolver) to manipulate records.

Remediation

There is no fixed version for Ubuntu:20.04 systemd.

References

CVE-2023-7008 vulnerability report

low severity

CVE-2023-4039

  • Vulnerable module: gcc-10/gcc-10-base
  • Introduced through: gcc-10/gcc-10-base@10.5.0-1ubuntu1~20.04, gcc-10/libgcc-s1@10.5.0-1ubuntu1~20.04 and others
  • Fixed in: 10.5.0-1ubuntu1~20.04.1+esm1

Detailed paths

  • Introduced through: ubuntu@focal gcc-10/gcc-10-base@10.5.0-1ubuntu1~20.04
  • Introduced through: ubuntu@focal gcc-10/libgcc-s1@10.5.0-1ubuntu1~20.04
  • Introduced through: ubuntu@focal gcc-10/libstdc++6@10.5.0-1ubuntu1~20.04

NVD Description

Note: Versions mentioned in the description apply only to the upstream gcc-10 package and not the gcc-10 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

DISPUTEDA failure in the -fstack-protector feature in GCC-based toolchains that target AArch64 allows an attacker to exploit an existing buffer overflow in dynamically-sized local variables in your application without this being detected. This stack-protector failure only applies to C99-style dynamically-sized local variables or those created using alloca(). The stack-protector operates as intended for statically-sized local variables.

The default behavior when the stack-protector detects an overflow is to terminate your application, resulting in controlled loss of availability. An attacker who can exploit a buffer overflow without triggering the stack-protector might be able to change program flow control to cause an uncontrolled loss of availability or to go further and affect confidentiality or integrity. NOTE: The GCC project argues that this is a missed hardening bug and not a vulnerability by itself.

Remediation

Upgrade Ubuntu:20.04 gcc-10 to version 10.5.0-1ubuntu1~20.04.1+esm1 or higher.

References

CVE-2023-4039 vulnerability report

low severity

Time-of-check Time-of-use (TOCTOU)

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.8.1-1ubuntu5.20.04.5 and shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

Detailed paths

  • Introduced through: ubuntu@focal shadow/login@1:4.8.1-1ubuntu5.20.04.5
  • Introduced through: ubuntu@focal shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

Remediation

There is no fixed version for Ubuntu:20.04 shadow.

References

Time-of-check Time-of-use (TOCTOU) vulnerability report

low severity

Out-of-bounds Write

  • Vulnerable module: gnupg2/gpgv
  • Introduced through: gnupg2/gpgv@2.2.19-3ubuntu2.4

Detailed paths

  • Introduced through: ubuntu@focal gnupg2/gpgv@2.2.19-3ubuntu2.4

NVD Description

Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

Remediation

There is no fixed version for Ubuntu:20.04 gnupg2.

References

Out-of-bounds Write vulnerability report

low severity

Arbitrary Code Injection

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.8.1-1ubuntu5.20.04.5 and shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

Detailed paths

  • Introduced through: ubuntu@focal shadow/login@1:4.8.1-1ubuntu5.20.04.5
  • Introduced through: ubuntu@focal shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

In Shadow 4.13, it is possible to inject control characters into fields provided to the SUID program chfn (change finger). Although it is not possible to exploit this directly (e.g., adding a new user fails because \n is in the block list), it is possible to misrepresent the /etc/passwd file when viewed. Use of \r manipulations and Unicode characters to work around blocking of the : character make it possible to give the impression that a new user has been added. In other words, an adversary may be able to convince a system administrator to take the system offline (an indirect, social-engineered denial of service) by demonstrating that "cat /etc/passwd" shows a rogue user account.

Remediation

There is no fixed version for Ubuntu:20.04 shadow.

References

Arbitrary Code Injection vulnerability report

low severity

Information Exposure

  • Vulnerable module: libgcrypt20
  • Introduced through: libgcrypt20@1.8.5-5ubuntu1.1

Detailed paths

  • Introduced through: ubuntu@focal libgcrypt20@1.8.5-5ubuntu1.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

Remediation

There is no fixed version for Ubuntu:20.04 libgcrypt20.

References

Information Exposure vulnerability report

low severity

CVE-2023-45918

  • Vulnerable module: ncurses/libncurses6
  • Introduced through: ncurses/libncurses6@6.2-0ubuntu2.1, ncurses/libncursesw6@6.2-0ubuntu2.1 and others

Detailed paths

  • Introduced through: ubuntu@focal ncurses/libncurses6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/libncursesw6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/libtinfo6@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/ncurses-base@6.2-0ubuntu2.1
  • Introduced through: ubuntu@focal ncurses/ncurses-bin@6.2-0ubuntu2.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.

Remediation

There is no fixed version for Ubuntu:20.04 ncurses.

References

CVE-2023-45918 vulnerability report

low severity

CVE-2024-56433

  • Vulnerable module: shadow/login
  • Introduced through: shadow/login@1:4.8.1-1ubuntu5.20.04.5 and shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

Detailed paths

  • Introduced through: ubuntu@focal shadow/login@1:4.8.1-1ubuntu5.20.04.5
  • Introduced through: ubuntu@focal shadow/passwd@1:4.8.1-1ubuntu5.20.04.5

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. See How to fix? for Ubuntu:20.04 relevant fixed versions and status.

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Ubuntu:20.04 shadow.

References

CVE-2024-56433 vulnerability report