Skip to content

Denial of service via insufficient metadata validation

Moderate severity GitHub Reviewed Published Feb 26, 2022 in google/fscrypt • Updated Jan 11, 2023

Package

gomod github.com/google/fscrypt (Go)

Affected versions

< 0.3.3

Patched versions

0.3.3

Description

The PAM module for fscrypt through v0.3.2 doesn't adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to v0.3.3 or above.

For more details, see CVE-2022-25327.

References

@ebiggers ebiggers published to google/fscrypt Feb 26, 2022
Published to the GitHub Advisory Database Mar 1, 2022
Reviewed Mar 1, 2022
Last updated Jan 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-p93v-m2r2-4387

Source code

github.com/google/fscrypt

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.