Incorrect Permission Assignment for Critical Resource The advisory has been revoked - it doesn't affect any version of package shadow Open this link in a new tab
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UBUNTU1910-SHADOW-581702
- published 15 Feb 2018
- disclosed 15 Feb 2018
Introduced: 15 Feb 2018
CVE-2018-7169 Open this link in a new tabAmendment
The Ubuntu security team deemed this advisory irrelevant for Ubuntu:19.10.
NVD Description
Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu.
An issue was discovered in shadow 4.5. newgidmap (in shadow-utils) is setuid and allows an unprivileged user to be placed in a user namespace where setgroups(2) is permitted. This allows an attacker to remove themselves from a supplementary group, which may allow access to certain filesystem paths if the administrator has used "group blacklisting" (e.g., chmod g-rwx) to restrict access to paths. This flaw effectively reverts a security feature in the kernel (in particular, the /proc/self/setgroups knob) to prevent this sort of privilege escalation.