CVE-2011-0721 — shadow - missing input sanitization

Description

Multiple CRLF injection vulnerabilities in (1) chfn and (2) chsh in shadow 1:4.1.4 allow local users to add new users or groups to /etc/passwd via the GECOS field.

How to fix CVE-2011-0721

To remediate CVE-2011-0721, upgrade the affected package to a fixed version below.

Debian/shadow—upgrade to 1:4.1.4.2+svn3283-3 or later
Debian/shadow—upgrade to 1:4.1.4.2+svn3283-2+squeeze1 or later

Is CVE-2011-0721 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1:4.1.4.2+svn3283-3
from 0, < 1:4.1.4.2+svn3283-2+squeeze1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-0721