Details of VAR-200412-0291

ID

VAR-200412-0291

CVE

CVE-2004-2395

TITLE

Mandrake Linux passwd Unknown security vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-200412-383

DESCRIPTION

Memory leak in passwd 0.68 allows local users to cause a denial of service (memory consumption) via a large number of failed read attempts from the password buffer. Two potential security issues reportedly affect the implementation of passwd included with Mandrake Linux, according to Mandrake advisory MDKSA-2004:045. According to the report, passwords supplied to passwd via stdin are incorrectly one character shorter than they should be. It is not known whether this behavior occurs at the interactive prompt or if the implementation allows for passwords to be "piped" to passwd through stdin. This may or may not have security implications as the user's password will not be stored correctly and the user will not be able to login. It is conceivable that this could result in a less secure password. The second issue reported by Mandrake is that PAM may not be initialized correctly and "safe and proper" operation may not be ensured. Further technical details are not known. Mandrake Linux is an open source operating system

Trust: 1.26

sources: NVD: CVE-2004-2395 // BID: 10370 // VULHUB: VHN-10823

AFFECTED PRODUCTS

vendor:	mandrakesoft	model:	mandrake linux corporate server	scope:	eq	version:	2.1	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.2	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.1	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake multi network firewall	scope:	eq	version:	8.2	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	10.0	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	9.0	Trust: 1.6
vendor:	mandrakesoft	model:	mandrake linux	scope:	eq	version:	8.2	Trust: 1.6
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	10.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake amd64	scope:	eq	version:	9.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake ppc	scope:	eq	version:	9.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.1	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	9.0	Trust: 0.3
vendor:	mandriva	model:	linux mandrake ppc	scope:	eq	version:	8.2	Trust: 0.3
vendor:	mandriva	model:	linux mandrake	scope:	eq	version:	8.2	Trust: 0.3
vendor:	mandrakesoft	model:	multi network firewall	scope:	eq	version:	2.0	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server x86 64	scope:	eq	version:	2.1	Trust: 0.3
vendor:	mandrakesoft	model:	corporate server	scope:	eq	version:	2.1	Trust: 0.3

sources: BID: 10370 // CNNVD: CNNVD-200412-383 // NVD: CVE-2004-2395

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2004-2395
value:	LOW
Trust: 1.0
CNNVD:	CNNVD-200412-383
value:	LOW
Trust: 0.6
VULHUB:	VHN-10823
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2004-2395
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
VULHUB:	VHN-10823
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:N/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-10823 // CNNVD: CNNVD-200412-383 // NVD: CVE-2004-2395

PROBLEMTYPE DATA

problemtype:

NVD-CWE-Other

Trust: 1.0

sources: NVD: CVE-2004-2395

THREAT TYPE

local

Trust: 0.9

sources: BID: 10370 // CNNVD: CNNVD-200412-383

TYPE

Unknown

Trust: 0.9

sources: BID: 10370 // CNNVD: CNNVD-200412-383

EXTERNAL IDS

db:	BID	id:	10370	Trust: 2.0
db:	NVD	id:	CVE-2004-2395	Trust: 1.7
db:	CNNVD	id:	CNNVD-200412-383	Trust: 0.7
db:	MANDRAKE	id:	MDKSA-2004:045	Trust: 0.6
db:	XF	id:	16180	Trust: 0.6
db:	NSFOCUS	id:	6467	Trust: 0.6
db:	VULHUB	id:	VHN-10823	Trust: 0.1

sources: VULHUB: VHN-10823 // BID: 10370 // CNNVD: CNNVD-200412-383 // NVD: CVE-2004-2395

REFERENCES

url:	http://www.securityfocus.com/bid/10370	Trust: 1.7
url:	http://www.mandriva.com/security/advisories?name=mdksa-2004:045	Trust: 1.7
url:	http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120060	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/16180	Trust: 1.1
url:	http://xforce.iss.net/xforce/xfdb/16180	Trust: 0.6
url:	http://www.nsfocus.net/vulndb/6467	Trust: 0.6

sources: VULHUB: VHN-10823 // CNNVD: CNNVD-200412-383 // NVD: CVE-2004-2395

CREDITS

Steve Grubb※ linux_4ever@yahoo.com

Trust: 0.6

sources: CNNVD: CNNVD-200412-383

SOURCES

db:	VULHUB	id:	VHN-10823
db:	BID	id:	10370
db:	CNNVD	id:	CNNVD-200412-383
db:	NVD	id:	CVE-2004-2395

LAST UPDATE DATE

2024-08-14T15:20:13.309000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-10823	date:	2017-07-11T00:00:00
db:	BID	id:	10370	date:	2004-05-17T00:00:00
db:	CNNVD	id:	CNNVD-200412-383	date:	2005-10-20T00:00:00
db:	NVD	id:	CVE-2004-2395	date:	2017-07-11T01:31:51.657

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-10823	date:	2004-12-31T00:00:00
db:	BID	id:	10370	date:	2004-05-17T00:00:00
db:	CNNVD	id:	CNNVD-200412-383	date:	2004-05-17T00:00:00
db:	NVD	id:	CVE-2004-2395	date:	2004-12-31T05:00:00