CVE-2023-4641: 
Alma Linux vulnerability analysis and mitigation

CVE-2023-4641 is a security vulnerability discovered in shadow-utils, a package that includes programs for managing user and group accounts. The vulnerability was disclosed on December 27, 2023. The flaw affects shadow-utils versions up to (excluding) 4.14.0. When asking for a new password, shadow-utils asks the password twice, and if the password fails on the second attempt, shadow-utils fails in cleaning the buffer used to store the first entry (NVD).

The vulnerability occurs in the password change functionality where gpasswd(1) uses agetpass() to get the password twice for confirmation. If the second agetpass() fails, the first password, which has been copied into the 'static' buffer 'pass' via STRFCPY(), isn't properly zeroed out. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD, Red Hat).

This vulnerability could potentially allow an attacker with sufficient access to retrieve the password from memory. The impact is limited to confidentiality with no effect on integrity or availability. The vulnerability requires local access and low privileges to exploit (NVD).

The vulnerability has been fixed in shadow-utils version 4.14.0. Various Linux distributions have released security updates to address this vulnerability. Red Hat has released multiple security advisories (RHSA-2023:6632, RHSA-2023:7112, RHSA-2024:0417, RHSA-2024:2577) to patch affected versions (Red Hat).