Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
490
VMScore

CVE-2019-12210

Published: 04/06/2019 Updated: 24/08/2020
CVSS v2 Base Score: 5.5 | Impact Score: 4.9 | Exploitability Score: 8
CVSS v3 Base Score: 8.1 | Impact Score: 5.2 | Exploitability Score: 2.8
VMScore: 490
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N

Vulnerability Summary

A file descriptor leak has been found in pam-u2f prior to 1.8.0. If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process. Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in the debug file. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

yubico pam-u2f 1.0.7

Vendor Advisories

Debian CVElist Bug Report Logs: pam-u2f: CVE-2019-12210: debug_file file descriptor leak
Debian Bug report logs - #930023 pam-u2f: CVE-2019-12210: debug_file file descriptor leak Package: src:pam-u2f; Maintainer for src:pam-u2f is Debian Authentication Maintainers <team+auth@trackerdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 5 Jun 2019 10:09:08 UTC Severity: important ...
Arch Linux Issues:
A file descriptor leak has been found in pam-u2f before 180 If the `debug` and `debug_file` options are set then the opened debug file will be inherited to the successfully authenticated user's process Therefore this user can write further information to it, possibly filling up a privileged file system or manipulating the information found in t ...

Mailing Lists

Full Disclosure: pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leak
Hello, pam-u2f [1] is a PAM module that allows to integrate universal 2nd factor authenticators like YubiKey into the PAM stack In the context of a source code review [2] due to the inclusion of pam-u2f into SUSE Linux two security issues in this PAM module have been uncovered as described in the following sections CVE-2019-12210: debug_file fi ...

References

NVD-CWE-noinfohttps://github.com/Yubico/pam-u2f/commit/18b1914e32b74ff52000f10e97067e841e5fff62https://developers.yubico.com/pam-u2f/Release_Notes.htmlhttp://www.openwall.com/lists/oss-security/2019/06/05/1http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.htmlhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930023https://nvd.nist.govhttps://security.archlinux.org/CVE-2019-12210
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-32976CVE-2024-33557CVE-2024-36801CVE-2024-35654authentication bypassCVE-2024-24919CSRFcode executionCVE-2024-27348
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook