yast2-users before 3.1.47, as used in SUSE Linux Enterprise 12 SP1, does not properly set empty password fields in /etc/shadow during an AutoYaST installation when the profile does not contain inst-sys users, which might allow attackers to have unspecified impact via unknown vectors.
2016-04-26T14:59:00.127
2025-04-12T10:46:40.837
Deferred
CVSSv3.0: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:C/I:C/A:C
10.0
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | suse | yast2 | * | Yes |
| Operating System | suse | linux_enterprise_desktop | 12 | No |
| Operating System | suse | linux_enterprise_server | 12 | No |
| Operating System | suse | linux_enterprise_software_development_kit | 12 | No |