Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.5
CVSSv2

CVE-2019-12210

Published: 04/06/2019 Updated: 24/08/2020
CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8
CVSS v3 Base Score: 8.1 | Impact Score: 5.2 | Exploitability Score: 2.8
VMScore: 490
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N
Subscribe to Yubico

Vulnerability Summary

A file descriptor leak has been found in pam-u2f prior to 1.8.0. If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

yubico pam-u2f 1.0.7

Vendor Advisories

Debian CVElist Bug Report Logs: pam-u2f: CVE-2019-12210: debug_file file descriptor leak
Debian Bug report logs - #930023 pam-u2f: CVE-2019-12210: debug_file file descriptor leak Package: src:pam-u2f; Maintainer for src:pam-u2f is Debian Authentication Maintainers <team+auth@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 5 Jun 2019 10:09:08 UTC Severity: important ...
Arch Linux Issues:
A file descriptor leak has been found in pam-u2f before 180 If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in t ...

Mailing Lists

Full Disclosure: pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
<!--X-Body-Begin--> <!--X-User-Header--> oss-sec mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible inform ...

References

NVD-CWE-noinfohttps://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62https://developers.yubico.com/pam-u2f/Release_Notes.htmlhttp://www.openwall.com/lists/oss-security/2019/06/05/1http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930023https://nvd.nist.govhttps://security.archlinux.org/CVE-2019-12210
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
authentication bypassCVE-2024-30051remoteCVE-2024-27954CVE-2023-51483CVE-2023-47782SSRFCVE-2024-24715CVE-2023-52424
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook