CVE-2024-28085
Public on 2024-03-27
Modified on 2024-03-28
Description
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.) There may be plausible scenarios where this leads to account takeover.
Severity
CVSS v3 Base Score
See breakdown
Affected Packages
Platform | Package | Release Date | Advisory | Status |
---|---|---|---|---|
Amazon Linux 1 | util-linux | Not Affected | ||
Amazon Linux 2 - Core | util-linux | Not Affected | ||
Amazon Linux 2023 | util-linux | Pending Fix |
CVSS Scores
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 5.6 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N |
NVD | CVSSv3 | 3.3 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |