CVE-2023-40303 — Vulnetix

CVE-2023-40303 PUBLISHED CVSS 7.800000190734863 HIGH

GNU inetutils through 2.4 may allow privilege escalation because of unchecked return values of set*id() family functions in ftpd, rcp, rlogin, rsh, rshd, and uucpd. This is, for example, relevant if the setuid system call fails when a process is trying to drop privileges before letting an ordinary user control the activities of the process.

EPSS 0.05% · 17.0th percentile

Risk Scores

CVSS 3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.05%

17.0th percentile

Affected Products

Vendor	Product	Versions
gnu	inetutils	0
n/a	n/a	n/a

Exploit Intelligence

https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html (nist-nvd)
CIRCL seen: CVE-2023-40303 (circl-sighting)
https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 (circl)
https://ftp.gnu.org/gnu/inetutils/ (circl)
[debian-lts-announce] 20231008 [SECURITY] [DLA 3611-1] inetutils security update (circl)
[oss-security] 20231230 Re: inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values (circl)

Timeline

Aug 14, 2023 CVE Published
Aug 14, 2023 EPSS Score
Sep 16, 2023 EPSS Score
Oct 20, 2023 EPSS Score
Nov 22, 2023 EPSS Score
Dec 26, 2023 EPSS Score
Jan 28, 2024 EPSS Score
Mar 2, 2024 EPSS Score
Apr 4, 2024 EPSS Score
May 8, 2024 EPSS Score
Jun 10, 2024 EPSS Score
Jul 13, 2024 EPSS Score

References

https://git.savannah.gnu.org/cgit/inetutils.git/commit/?id=e4e65c03f4c11292a3e40ef72ca3f194c8bffdd6 url
https://lists.gnu.org/archive/html/bug-inetutils/2023-07/msg00000.html url
https://ftp.gnu.org/gnu/inetutils/ url
[debian-lts-announce] 20231008 [SECURITY] [DLA 3611-1] inetutils security update mailing-list
[oss-security] 20231230 Re: inetutils ftpd, rcp, rlogin, rsh, rshd, uucpd: Avoid potential privilege escalations by checking set*id() return values mailing-list
https://nvd.nist.gov/vuln/detail/CVE-2023-40303 advisory
https://ftp.gnu.org/gnu/inetutils url

Open in Interactive Console →