CVE-2022-25327: User login denial of service in github.com/google/fscrypt

February 26, 2022 (updated March 1, 2022)

The PAM module for fscrypt does not adequately validate fscrypt metadata files, allowing users to create malicious metadata files that prevent other users from logging in. A local user can cause a denial of service by creating a fscrypt metadata file that prevents other users from logging into the system. We recommend upgrading to version 0.3.3 or above

References

github.com/advisories/GHSA-8vwm-8vj8-rqjf
github.com/google/fscrypt/pull/346
nvd.nist.gov/vuln/detail/CVE-2022-25327

Code Behaviors & Features

Detect and mitigate CVE-2022-25327 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →