CVE-2022-0563 is a medium-severity vulnerability affecting the util-linux package, specifically the chfn and chsh utilities when compiled with Readline support. The Readline library uses the INPUTRC environment variable to specify a path to its configuration file. If the specified configuration file cannot be parsed correctly, Readline outputs an error message that inadvertently includes data read from the file. This behavior can be exploited by an unprivileged user to read contents of root-owned files, which normally should be inaccessible. The vulnerability arises because the error message leaks sensitive file contents, violating confidentiality. The affected versions are util-linux prior to 2.37.4, and the flaw was publicly disclosed in February 2022. The CVSS v3.1 base score is 5.5, reflecting a medium severity with a vector indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. There are no known exploits in the wild, and no official patch links were provided in the source data, but the fixed version is 2.37.4 or later. This vulnerability is categorized under CWE-209 (Information Exposure Through an Error Message). Exploitation requires local access and the ability to influence the INPUTRC environment variable for the chfn or chsh utilities, which are commonly used for changing user information and shell settings on Linux systems.

For European organizations, this vulnerability poses a risk primarily in environments where util-linux is deployed with Readline support and where users have local access to systems running vulnerable versions. The ability for an unprivileged user to read root-owned files can lead to exposure of sensitive configuration files, credentials, or other critical data, potentially enabling further privilege escalation or lateral movement within the network. This is particularly concerning for organizations with multi-user Linux servers, shared hosting environments, or critical infrastructure systems relying on util-linux utilities. Although the vulnerability does not directly impact integrity or availability, the confidentiality breach can undermine trust, compliance with data protection regulations such as GDPR, and overall system security posture. The medium severity and local attack vector limit the scope to insider threats or attackers with initial foothold, but the potential to escalate privileges makes it a significant concern for sensitive environments.

To mitigate this vulnerability, European organizations should prioritize upgrading util-linux to version 2.37.4 or later, where the issue is resolved. In environments where immediate upgrade is not feasible, administrators should consider restricting access to the chfn and chsh utilities to trusted users only, using file permissions or access control mechanisms. Additionally, environment variables such as INPUTRC should be sanitized or restricted to prevent untrusted users from influencing them. Monitoring and auditing usage of these utilities can help detect suspicious activity. Employing mandatory access controls (e.g., SELinux, AppArmor) to limit the ability of unprivileged users to execute or manipulate these utilities can further reduce risk. Finally, organizations should review and harden local user permissions and consider isolating critical systems to minimize the impact of potential local exploits.