CVE-2023-4641

Name: CVE-2023-4641
Creator: NVD / NIST
Published: 2023-12-27T16:15:13.363+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

MEDIUMCVSS 5.5/10EPSS 0.26%

Last modified Jun 17, 2026

CVE-2023-4641 is a medium-severity vulnerability rated 5.5/10 on the CVSS scale. A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. EPSS estimates a 0.26% chance of exploitation in the next 30 days.

Description

A flaw was found in shadow-utils. When asking for a new password, shadow-utils asks the password twice. If the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry. This may allow an attacker with enough access to retrieve the password from the memory.

Metrics

CVSS 3.1

5.5/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.26%

17.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Shadow-Maint	Shadow-Utils	< 4.14.0
Redhat	Codeready Linux Builder	8.0
Redhat	Codeready Linux Builder	9.0
Redhat	Codeready Linux Builder For Arm64	8.0_aarch64
Redhat	Codeready Linux Builder For Arm64	9.0_aarch64
Redhat	Codeready Linux Builder For Ibm Z Systems	8.0_s390x
Redhat	Codeready Linux Builder For Ibm Z Systems	9.0_s390x
Redhat	Codeready Linux Builder For Power Little Endian	8.0_ppc64le
Redhat	Codeready Linux Builder For Power Little Endian	9.0_ppc64le
Redhat	Enterprise Linux	8.0
Redhat	Enterprise Linux	9.0
Redhat	Enterprise Linux For Arm 64	8.0
Redhat	Enterprise Linux For Arm 64	9.0
Redhat	Enterprise Linux For Ibm Z Systems	8.0_s390x
Redhat	Enterprise Linux For Ibm Z Systems	9.0_s390x
Redhat	Enterprise Linux For Power Little Endian	8.0_ppc64le
Redhat	Enterprise Linux For Power Little Endian	9.0_ppc64le

References

https://access.redhat.com/errata/RHSA-2023:6632Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7112Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0417
https://access.redhat.com/errata/RHSA-2024:2577
https://access.redhat.com/security/cve/CVE-2023-4641Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2215945Issue Tracking
https://access.redhat.com/errata/RHSA-2023:6632Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7112Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:0417
https://access.redhat.com/errata/RHSA-2024:2577
https://access.redhat.com/security/cve/CVE-2023-4641Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2215945Issue Tracking
https://lists.debian.org/debian-lts-announce/2025/04/msg00026.html

Timeline

Published: Dec 27, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-4641?

How severe is CVE-2023-4641?

CVE-2023-4641 has a CVSS score of 5.5/10 (MEDIUM severity). The EPSS model estimates a 0.26% probability of exploitation in the next 30 days.

How do I fix CVE-2023-4641?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-4641?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST