Search

Find a vulnerability

Search criteria

    1 vulnerability found for InetUtils by gnu

    GCVE-1-2026-0007 (CVE-2026-24061)

    Vulnerability from gna-1 – Published: 2026-01-20 20:57 – Updated: 2026-01-26 16:32
    VLAI
    Title
    GNU InetUtils Security Advisory: remote authentication by-pass in telnetd
    Summary
    The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter. If the client supply a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes. This happens because the telnetd server do not sanitize the USER environment variable before passing it on to login(1), and login(1) uses the -f parameter to by-pass normal authentication. Severity: High Vulnerable versions: GNU InetUtils since version 1.9.3 up to and including version 2.7.
    CWE
    • CWE-20 - Improper Input Validation
    Assigner
    Impacted products
    Vendor Product Version
    gnu InetUtils Affected: 1.9.3 , ≤ 2.7
    Create a notification for this product.
    Credits
    Kyu Neushwaistein aka Carlos Cortes Alvarez Simon Josefsson
    Relationships

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "InetUtils",
              "vendor": "gnu",
              "versions": [
                {
                  "lessThanOrEqual": "2.7",
                  "status": "affected",
                  "version": "1.9.3"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kyu Neushwaistein aka Carlos Cortes Alvarez"
            },
            {
              "lang": "en",
              "type": "remediation developer",
              "value": "Simon Josefsson"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cpre\u003eThe telnetd server invokes /usr/bin/login (normally running as root)\npassing the value of the USER environment variable received from the\nclient as the last parameter.\n\nIf the client supply a carefully crafted USER environment value being\nthe string \"-f root\", and passes the telnet(1) -a or --login parameter\nto send this USER environment to the server, the client will be\nautomatically logged in as root bypassing normal authentication\nprocesses.\n\nThis happens because the telnetd server do not sanitize the USER\nenvironment variable before passing it on to login(1), and login(1)\nuses the -f parameter to by-pass normal authentication.\n\nSeverity: High\n\nVulnerable versions: GNU InetUtils since version 1.9.3 up to and\nincluding version 2.7.\u003c/pre\u003e\u003cbr\u003e"
                }
              ],
              "value": "The telnetd server invokes /usr/bin/login (normally running as root)\npassing the value of the USER environment variable received from the\nclient as the last parameter.\n\nIf the client supply a carefully crafted USER environment value being\nthe string \"-f root\", and passes the telnet(1) -a or --login parameter\nto send this USER environment to the server, the client will be\nautomatically logged in as root bypassing normal authentication\nprocesses.\n\nThis happens because the telnetd server do not sanitize the USER\nenvironment variable before passing it on to login(1), and login(1)\nuses the -f parameter to by-pass normal authentication.\n\nSeverity: High\n\nVulnerable versions: GNU InetUtils since version 1.9.3 up to and\nincluding version 2.7."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-13",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-13 Subverting Environment Variable Values"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20 Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "orgId": "00000000-0000-4000-9000-000000000000"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://seclists.org/oss-sec/2026/q1/89"
            },
            {
              "tags": [
                "related"
              ],
              "url": "https://codeberg.org/inetutils/inetutils/commit/fa3245ac8c288b87139a0da8249d0a408c4dfb87"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "GNU InetUtils Security Advisory: remote authentication by-pass in telnetd",
          "x_gcve": [
            {
              "recordType": "advisory",
              "relationships": [
                {
                  "destId": "CVE-2007-0882",
                  "type": "related"
                },
                {
                  "destId": "CVE-1999-0113",
                  "type": "related"
                }
              ],
              "vulnId": "GCVE-1-2026-0007"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "00000000-0000-4000-9000-000000000000",
        "cveId": "CVE-2026-24061",
        "datePublished": "2026-01-20T20:57:00.000Z",
        "dateUpdated": "2026-01-26T16:32:40.831364Z",
        "requesterUserId": "00000000-0000-4000-9000-000000000000",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1-2026-0007",
        "vulnerabilitylookup_history": [
          [
            "alexandre.dulaunoy@circl.lu",
            "2026-01-20T20:57:01.702747Z"
          ],
          [
            "cedric.bonhomme@circl.lu",
            "2026-01-23T10:57:36.157223Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2026-01-26T16:26:04.438979Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2026-01-26T16:26:56.813944Z"
          ],
          [
            "alexandre.dulaunoy@circl.lu",
            "2026-01-26T16:32:40.831364Z"
          ]
        ]
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }