{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2023 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2019-19882","title":"Title"},{"category":"description","text":"shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2019-19882","url":"https://www.suse.com/security/cve/CVE-2019-19882"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1159633 for CVE-2019-19882","url":"https://bugzilla.suse.com/1159633"}],"title":"SUSE CVE CVE-2019-19882","tracking":{"current_release_date":"2023-02-15T04:05:47Z","generator":{"date":"2023-02-15T04:05:47Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2019-19882","initial_release_date":"2023-02-15T04:05:47Z","revision_history":[{"date":"2023-02-15T04:05:47Z","number":"2","summary":"Current version"}],"status":"interim","version":"2"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE CaaS Platform 3.0","product":{"name":"SUSE CaaS Platform 3.0","product_id":"SUSE CaaS Platform 3.0","product_identification_helper":{"cpe":"cpe:/o:suse:caasp:3.0"}}},{"category":"product_name","name":"SUSE Container as a Service Platform 2.0","product":{"name":"SUSE Container as a Service Platform 2.0","product_id":"SUSE Container as a Service Platform 2.0","product_identification_helper":{"cpe":"cpe:/o:suse:caasp:2.0"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Desktop 12 SP4","product":{"name":"SUSE Linux Enterprise Desktop 12 SP4","product_id":"SUSE Linux Enterprise Desktop 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sled:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15","product_id":"SUSE Linux Enterprise Module for Basesystem 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 12 SP4","product":{"name":"SUSE Linux Enterprise High Performance Computing 12 SP4","product_id":"SUSE Linux Enterprise High Performance Computing 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-hpc:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Performance Computing 12 SP5","product":{"name":"SUSE Linux Enterprise High Performance Computing 12 SP5","product_id":"SUSE Linux Enterprise High Performance Computing 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-hpc:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15","product_id":"SUSE Linux Enterprise Module for Basesystem 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP1-LTSS","product":{"name":"SUSE Linux Enterprise Server 12 SP1-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP1-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:12:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP2-LTSS","product":{"name":"SUSE Linux Enterprise Server 12 SP2-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP2-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:12:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP3-LTSS","product":{"name":"SUSE Linux Enterprise Server 12 SP3-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP3-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:12:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP4","product":{"name":"SUSE Linux Enterprise Server 12 SP4","product_id":"SUSE Linux Enterprise Server 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sles:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP4-LTSS","product":{"name":"SUSE Linux Enterprise Server 12 SP4-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP4-LTSS","product_identification_helper":{"cpe":"cpe:/o:suse:sles-ltss:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server 12 SP5","product":{"name":"SUSE Linux Enterprise Server 12 SP5","product_id":"SUSE Linux Enterprise Server 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sles:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15","product_id":"SUSE Linux Enterprise Module for Basesystem 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server Teradata 12 SP3","product":{"name":"SUSE Linux Enterprise Server Teradata 12 SP3","product_id":"SUSE Linux Enterprise Server Teradata 12 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sles_teradata:12:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP2","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP2","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP3","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP3","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP4","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15","product_id":"SUSE Linux Enterprise Module for Basesystem 15","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_name","name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product":{"name":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1","product_identification_helper":{"cpe":"cpe:/o:suse:sle-module-basesystem:15:sp1"}}},{"category":"product_version","name":"shadow","product":{"name":"shadow","product_id":"shadow","product_identification_helper":{"cpe":"cpe:2.3:a:shadow_project:shadow:*:*:*:*:*:*:*:*"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE CaaS Platform 3.0","product_id":"SUSE CaaS Platform 3.0:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE CaaS Platform 3.0"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Container as a Service Platform 2.0","product_id":"SUSE Container as a Service Platform 2.0:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Container as a Service Platform 2.0"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Desktop 12 SP4","product_id":"SUSE Linux Enterprise Desktop 12 SP4:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Desktop 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise High Performance Computing 12 SP4","product_id":"SUSE Linux Enterprise High Performance Computing 12 SP4:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise High Performance Computing 12 SP5","product_id":"SUSE Linux Enterprise High Performance Computing 12 SP5:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise High Performance Computing 12 SP5"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Module for Basesystem 15","product_id":"SUSE Linux Enterprise Module for Basesystem 15:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Module for Basesystem 15"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Module for Basesystem 15 SP1","product_id":"SUSE Linux Enterprise Module for Basesystem 15 SP1:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Module for Basesystem 15 SP1"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP1-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP1-LTSS:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP1-LTSS"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP2-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP2-LTSS:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP2-LTSS"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP3-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP3-LTSS:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP3-LTSS"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP4","product_id":"SUSE Linux Enterprise Server 12 SP4:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP4-LTSS","product_id":"SUSE Linux Enterprise Server 12 SP4-LTSS:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP4-LTSS"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server 12 SP5","product_id":"SUSE Linux Enterprise Server 12 SP5:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server 12 SP5"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server Teradata 12 SP3","product_id":"SUSE Linux Enterprise Server Teradata 12 SP3:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server Teradata 12 SP3"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server for SAP Applications 12 SP2","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP2:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP2"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server for SAP Applications 12 SP3","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP3:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP3"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server for SAP Applications 12 SP4","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP4:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP4"},{"category":"default_component_of","full_product_name":{"name":"shadow as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5:shadow"},"product_reference":"shadow","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP5"}]},"vulnerabilities":[{"cve":"CVE-2019-19882","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2019-19882"}],"notes":[{"category":"general","text":"shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).","title":"Vulnerability description"}],"product_status":{"known affected":["SUSE Linux Enterprise Server 12 SP4-LTSS:shadow"],"known not affected":["SUSE CaaS Platform 3.0:shadow","SUSE Container as a Service Platform 2.0:shadow","SUSE Linux Enterprise Desktop 12 SP4:shadow","SUSE Linux Enterprise High Performance Computing 12 SP4:shadow","SUSE Linux Enterprise High Performance Computing 12 SP5:shadow","SUSE Linux Enterprise Module for Basesystem 15 SP1:shadow","SUSE Linux Enterprise Module for Basesystem 15:shadow","SUSE Linux Enterprise Server 12 SP1-LTSS:shadow","SUSE Linux Enterprise Server 12 SP2-LTSS:shadow","SUSE Linux Enterprise Server 12 SP3-LTSS:shadow","SUSE Linux Enterprise Server 12 SP4:shadow","SUSE Linux Enterprise Server 12 SP5:shadow","SUSE Linux Enterprise Server Teradata 12 SP3:shadow","SUSE Linux Enterprise Server for SAP Applications 12 SP2:shadow","SUSE Linux Enterprise Server for SAP Applications 12 SP3:shadow","SUSE Linux Enterprise Server for SAP Applications 12 SP4:shadow","SUSE Linux Enterprise Server for SAP Applications 12 SP5:shadow"]},"references":[{"category":"external","summary":"CVE-2019-19882","url":"https://www.suse.com/security/cve/CVE-2019-19882"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1159633 for CVE-2019-19882","url":"https://bugzilla.suse.com/1159633"}],"threats":[{"category":"impact","date":"2019-12-18T22:59:24Z","details":"important"}],"title":"CVE-2019-19882"}]}