CVE-2024-56433
Publication date 26 December 2024
Last updated 17 March 2025
Ubuntu priority
shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.
Read the notes from the security team
Why is this CVE low priority?
Needs administrator to have assigned conflicting UIDs
Status
Package | Ubuntu Release | Status |
---|---|---|
shadow | 24.10 oracular |
Vulnerable, fix deferred
|
24.04 LTS noble |
Vulnerable, fix deferred
|
|
22.04 LTS jammy |
Vulnerable, fix deferred
|
|
20.04 LTS focal |
Vulnerable, fix deferred
|
|
18.04 LTS bionic |
Vulnerable, fix deferred
|
|
16.04 LTS xenial |
Vulnerable, fix deferred
|