{"id":"CVE-2017-12424","details":"In shadow before 4.5, the newusers tool could be made to manipulate internal data structures in ways unintended by the authors. Malformed input may lead to crashes (with a buffer overflow or other memory corruption) or other unspecified behaviors. This crosses a privilege boundary in, for example, certain web-hosting environments in which a Control Panel allows an unprivileged user account to create subaccounts.","modified":"2026-04-16T06:21:34.141394394Z","published":"2017-08-04T09:29:00.187Z","related":["SUSE-SU-2017:2947-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00020.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201710-16"},{"type":"REPORT","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756630"},{"type":"REPORT","url":"https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1266675"},{"type":"FIX","url":"https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/shadow-maint/shadow","events":[{"introduced":"0"},{"fixed":"15be89f89d553c06d52453721ee8e9a8433cfdfd"},{"fixed":"954e3d2e7113e9ac06632aee3c69b8d818cc8952"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"4.5"}]}}],"versions":["4.2.1","4.3.0","4.3.1","4.4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-12424.json","vanir_signatures":[{"signature_version":"v1","id":"CVE-2017-12424-03cfbe43","deprecated":false,"target":{"file":"lib/commonio.c","function":"commonio_sort"},"source":"https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952","digest":{"function_hash":"202960249321229963769209149281777145406","length":1301},"signature_type":"Function"},{"deprecated":false,"target":{"file":"lib/commonio.c"},"source":"https://github.com/shadow-maint/shadow/commit/954e3d2e7113e9ac06632aee3c69b8d818cc8952","signature_version":"v1","id":"CVE-2017-12424-edcd3aea","digest":{"threshold":0.9,"line_hashes":["97343475326322419711596104090918875231","83194384294095812938514171149688776297","49828281674662981068131804184564246995","227046944271181385809801992820021682302","1653437717679775265908824231283286026","214632539084617417013768092814222728552","318040977496812136268312631380998312745","353291072014180465658511793697293332","109635299101909868755650757144999621569","173175273233810461831180419687946402416","157547641036649591868026189959014193376","57750577214612977192018795620048358807","89344191378839295817891035874517221208"]},"signature_type":"Line"}],"vanir_signatures_modified":"2026-04-11T04:47:22Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}