Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.6
CVSSv2

CVE-2021-31924

Published: 26/05/2021 Updated: 07/11/2023
CVSS v2 Base Score: 4.6 | Impact Score: 6.4 | Exploitability Score: 3.9
CVSS v3 Base Score: 6.8 | Impact Score: 5.9 | Exploitability Score: 0.9
VMScore: 409
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Yubico pam-u2f prior to 1.1.1 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass. This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another enrolled authenticator. If pam-u2f is configured to require PIN authentication, and the application using pam-u2f allows the user to submit NULL as the PIN, pam-u2f will attempt to perform a FIDO2 authentication without PIN. If this authentication is successful, the PIN requirement is bypassed.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

yubico pam-u2f

fedoraproject fedora 34

fedoraproject fedora 35

Vendor Advisories

Debian CVElist Bug Report Logs: libpam-u2f: CVE-2021-31924: libpam_u2f does not require pin regardless of key definition
Debian Bug report logs - #987545 libpam-u2f: CVE-2021-31924: libpam_u2f does not require pin regardless of key definition Package: libpam-u2f; Maintainer for libpam-u2f is Debian Authentication Maintainers <team+auth@trackerdebianorg>; Source for libpam-u2f is src:pam-u2f (PTS, buildd, popcon) Reported by: Kamil Jonca < ...
Arch Linux Issues:
Yubico pam-u2f before 111 has a logic issue that, depending on the pam-u2f configuration and the application used, could lead to a local PIN bypass This issue does not allow user presence (touch) or cryptographic signature verification to be bypassed, so an attacker would still need to physically possess and interact with the YubiKey or another ...

References

CWE-287https://www.yubico.com/support/security-advisories/ysa-2021-03https://developers.yubico.com/pam-u2f/https://security.gentoo.org/glsa/202208-11https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CRBVOZEMVO72FV4Z5O4GBGSURXHWRGD3/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IL3I5AKECLMK4ADLLACLOEF7H5CMNDP2/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987545https://nvd.nist.govhttps://security.archlinux.org/CVE-2021-31924
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-23316SQL injectiontype confusionCVE-2024-20697CVE-2024-4344localCVE-2024-30043CVE-2024-3821CVE-2024-5041
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook