Skip to content

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass … #482983

Description

@nixpkgs-security-tracker

Description

telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a "-f root" value for the USER environment variable.

CVSS CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVSS version: 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
Affected packages
  • inetutils (2.6@nixos-25.05, 2.6@nixos-unstable)

Additional comment

Upstream advisory: https://lists.gnu.org/archive/html/bug-inetutils/2026-01/msg00004.html

Metadata

Metadata

Assignees

No one assigned

    Labels

    1.severity: securityIssues which raise a security issue, or PRs that fix one

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions