CVE-2016-1601 - yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty pass

CVE-2016-1601

Summary

yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.

References

Vulnerable Configurations

cpe:2.3:o:suse:yast2:*:*:*:*:*:*:*:*
cpe:2.3:o:suse:yast2:*:*:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*

CVSS

Base:	10.0 (as of 01-12-2016 - 03:05)
Impact:
Exploitability:

CWE

CWE-255

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:N/C:C/I:C/A:C

refmap via4

confirm	https://bugzilla.suse.com/show_bug.cgi?id=974220 https://build.opensuse.org/request/show/388020
suse	SUSE-SU-2016:1138 openSUSE-SU-2016:1226

Last major update

01-12-2016 - 03:05

Published

26-04-2016 - 14:59

Last modified

01-12-2016 - 03:05