CVE-2016-1601

CRITICAL

yast2-users <3.1.47 - Info Disclosure

Title source: llm

Description

yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.

References (4)

Core 4

Core References

Issue Tracking x_refsource_confirm

https://bugzilla.suse.com/show_bug.cgi?id=974220

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00007.html

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00051.html

Various Sources x_refsource_confirm

https://build.opensuse.org/request/show/388020

Scores

CVSS v3 9.8

EPSS 0.0045

EPSS Percentile 64.0%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-255

Status published

Products (1)

suse/yast2

Published Apr 26, 2016

Tracked Since Feb 18, 2026