CVE-2016-1601 - Vulnerability Details - OpenCVE

yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Suse	Linux Enterprise Desktop Linux Enterprise Server Linux Enterprise Software Development Kit Yast2

Configuration 1 [-]

AND

cpe:2.3:o:suse:yast2:*:*:*:*:*:*:*:*

OR	cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1::::::
	cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
	cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1::::::

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html
https://bugzilla.suse.com/show_bug.cgi?id=974220
https://build.opensuse.org/request/show/388020

History

No history.

MITRE

Status: PUBLISHED

Assigner: microfocus

Published: 2016-04-26T14:00:00

Updated: 2024-08-05T23:02:12.143Z

Reserved: 2016-01-12T00:00:00

Link: CVE-2016-1601

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2016-04-26T14:59:00.127

Modified: 2025-04-12T10:46:40.837

Link: CVE-2016-1601

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-04-25T00:00:00", "descriptions": [{"lang": "en", "value": "yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:38", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=974220"}, {"name": "openSUSE-SU-2016:1226", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html"}, {"name": "SUSE-SU-2016:1138", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://build.opensuse.org/request/show/388020"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "ID": "CVE-2016-1601", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=974220", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=974220"}, {"name": "openSUSE-SU-2016:1226", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html"}, {"name": "SUSE-SU-2016:1138", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html"}, {"name": "https://build.opensuse.org/request/show/388020", "refsource": "CONFIRM", "url": "https://build.opensuse.org/request/show/388020"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T23:02:12.143Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=974220"}, {"name": "openSUSE-SU-2016:1226", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html"}, {"name": "SUSE-SU-2016:1138", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://build.opensuse.org/request/show/388020"}]}]}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2016-1601", "datePublished": "2016-04-26T14:00:00", "dateReserved": "2016-01-12T00:00:00", "dateUpdated": "2024-08-05T23:02:12.143Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:suse:yast2:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD57F353-22D7-4258-A99B-8A57EEEB82A4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "3A0BA503-3F96-48DA-AF47-FBA37A9D0C48", "vulnerable": false}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_server:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "2076747F-A98E-4DD9-9B52-BF1732BCAD3D", "vulnerable": false}, {"criteria": "cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1:*:*:*:*:*:*", "matchCriteriaId": "5A633996-2FD7-467C-BAA6-529E16BD06D1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors."}, {"lang": "es", "value": "yast2-users en versiones anteriores a 3.1.47, como se utiliza en SUSE Linux Enterprise 12 SP1, no establece correctamente campos de contrase\u00f1a vac\u00edos en /etc/shadow durante una instalaci\u00f3n AutoYaST cuando el perfil no contiene usuarios inst-sys, lo que podr\u00eda permitir a atacantes tener un impacto no especificado a trav\u00e9s de vectores desconocidos."}], "id": "CVE-2016-1601", "lastModified": "2025-04-12T10:46:40.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-04-26T14:59:00.127", "references": [{"source": "security@opentext.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html"}, {"source": "security@opentext.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html"}, {"source": "security@opentext.com", "url": "https://bugzilla.suse.com/show_bug.cgi?id=974220"}, {"source": "security@opentext.com", "url": "https://build.opensuse.org/request/show/388020"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://bugzilla.suse.com/show_bug.cgi?id=974220"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://build.opensuse.org/request/show/388020"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}