CVE-2023-40303

Published: 14/08/2023 Updated: 02/01/2024

CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8

VMScore: 0

GNU inetutils prior to 2.5 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

Vulnerable Product	Search on Vulmon	Subscribe to Product
gnu inetutils

Debian Bug report logs - #1049365 inetutils: CVE-2023-40303 Package: src:inetutils; Maintainer for src:inetutils is Guillem Jover <guillem@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, 14 Aug 2023 18:45:02 UTC Severity: important Tags: security, upstream Found in version inetutils/2:2 ...

On Sat, Dec 30, 2023 at 05:26:00PM +0100, Solar Designer wrote: This is CVE-2023-40303 Debian also patched the issues in LTS: listsdebianorg/debian-lts-announce/2023/10/msg00013html There's still the supposedly-cannot-fail memory allocation on setuid(), where it contains a supposedly-unreachable error return code Back then, I ...

CWE-252 https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html https://ftp.gnu.org/gnu/inetutils/https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 https://lists.debian.org/debian-lts-announce/2023/10/msg00013.html http://www.openwall.com/lists/oss-security/2023/12/30/4 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1049365 https://nvd.nist.gov

CVE-2023-40303

Vulnerability Summary

Vendor Advisories

Mailing Lists

References

Vulmon Search

About

Products

Connect