Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
516
VMScore

CVE-2015-3238

Published: 24/08/2015 Updated: 12/02/2023
CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 2.5 | Exploitability Score: 3.9
VMScore: 516
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:P
Subscribe to Linux-pam

Vulnerability Summary

The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) prior to 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

linux-pam linux-pam

oracle sparc-opl service processor

Vendor Advisories

Debian CVElist Bug Report Logs: pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module
Debian Bug report logs - #789986 pam: CVE-2015-3238: DoS/user enumeration due to blocking pipe in pam_unix module Package: src:pam; Maintainer for src:pam is Steve Langasek <vorlon@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 25 Jun 2015 20:36:02 UTC Severity: important Tags: fixed-up ...
Ubuntu Security Notice: pam regression
USN-2935-1 introduced a regression in PAM ...
Ubuntu Security Notice: pam vulnerabilities
Several security issues were fixed in PAM ...
Ubuntu Security Notice: pam regression
USN-2935-1 introduced a regression in PAM ...
Amazon Linux AMI: ALAS-2015-589
It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system (CVE-2015-323 ...
Red Hat: CVE-2015-3238
It was discovered that the _unix_run_helper_binary() function of PAM's unix_pam module could write to a blocking pipe, possibly causing the function to become unresponsive An attacker able to supply large passwords to the unix_pam module could use this flaw to enumerate valid user accounts, or cause a denial of service on the system ...

References

CWE-200https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-011/?fid=6551http://rhn.redhat.com/errata/RHSA-2015-1640.htmlhttp://www.openwall.com/lists/oss-security/2015/06/25/13https://bugzilla.redhat.com/show_bug.cgi?id=1228571https://www.trustwave.com/Resources/SpiderLabs-Blog/Username-Enumeration-against-OpenSSH-SELinux-with-CVE-2015-3238/http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlhttps://security.gentoo.org/glsa/201605-05http://www.securityfocus.com/bid/75428http://lists.fedoraproject.org/pipermail/package-announce/2015-June/161249.htmlhttp://www.ubuntu.com/usn/USN-2935-3http://www.ubuntu.com/usn/USN-2935-1http://www.ubuntu.com/usn/USN-2935-2http://lists.fedoraproject.org/pipermail/package-announce/2015-July/161350.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789986https://nvd.nist.govhttps://usn.ubuntu.com/2935-2/
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionCVE-2006-4304CVE-2023-26603CVE-2024-28327CVE-2023-50363CVE-2024-21905template injectionCVE-2024-3400cross-site request forgery
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook