Vulnerability DatabaseCVE-2021-40084

CVE-2021-40084:
Linux Debian vulnerability analysis and mitigation

Overview

opensysusers through 0.6 contains a security vulnerability (CVE-2021-40084) where it does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that (Debian Bug).

Technical details

The vulnerability stems from the unsafe use of shell's eval command on everything in sysusers.d files. The program processes these files without properly sanitizing input, particularly in the GECOS field, which can contain shell meta-characters that should not result in code execution. This behavior differs from systemd-sysusers, which handles the same input safely (Debian Bug). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Impact

The vulnerability allows an attacker to execute arbitrary commands through crafted input in the GECOS field of sysusers.d configuration files. For example, an attacker could create a configuration that executes destructive commands when processed, such as deleting system files (Debian Bug).

Mitigation and workarounds

The vulnerability was fixed in opensysusers version 0.6-3 by modifying how the GECOS field is processed to avoid using eval. The patch sets the GECOS field without using eval, under the assumption that the double quote character is not valid for Type, Name, and ID fields (Debian Bug).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer? See which CVEs are exploitable in your environment.

Get a CVE Assessment

9.8

Score

Published August 25, 2021

Severity CRITICAL

CNA Score N/A

Affected Technologies

Linux Debian
Echo

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 79

Exploitation Probability (EPSS) 1.3

Affected packages and libraries

opensysusers

Sources

NVD
Debian Security Tracker
- Debian 11 Severity MEDIUMNo FixAdded at: Mar 28, 2022
- Debian 12 Severity CRITICALHas FixAdded at: Nov 23, 2021
- Debian 13 Severity CRITICALHas FixAdded at: Feb 02, 2025
- Debian 14 Severity CRITICALHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity CRITICALHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-11266	MEDIUM	6.8	Linux Debian	gdcm	No	No	Dec 12, 2025
CVE-2025-67897	MEDIUM	5.3	Linux Debian	rust-sequoia-openpgp	No	Yes	Dec 14, 2025
CVE-2025-14607	MEDIUM	5.3	Linux Debian	dcmtk	No	No	Dec 13, 2025
CVE-2025-67749	MEDIUM	5.3	Linux Debian	pcsx2	No	No	Dec 12, 2025
CVE-2025-40345	N/A	N/A	Linux Kernel	bpftool	No	Yes	Dec 12, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2021-40084: Linux Debian vulnerability analysis and mitigation