CVE Vulnerabilities

CVE-2012-1576

Published: Oct 01, 2012 | Modified: Apr 05, 2013
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
6 MEDIUM
AV:N/AC:M/Au:S/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
LOW

The myuser_delete function in libathemecore/account.c in Atheme 5.x before 5.2.7, 6.x before 6.0.10, and 7.x before 7.0.0-beta2 does not properly clean up CertFP entries when a user is deleted, which allows remote attackers to access a different user account or cause a denial of service (daemon crash) via a login as a deleted user.

Affected Software

Name Vendor Start Version End Version
Atheme Atheme 6.0.0 (including) 6.0.0 (including)
Atheme Atheme 6.0.1 (including) 6.0.1 (including)
Atheme Atheme 6.0.2 (including) 6.0.2 (including)
Atheme Atheme 6.0.3 (including) 6.0.3 (including)
Atheme Atheme 6.0.4 (including) 6.0.4 (including)
Atheme Atheme 6.0.5 (including) 6.0.5 (including)
Atheme Atheme 6.0.6 (including) 6.0.6 (including)
Atheme Atheme 6.0.7 (including) 6.0.7 (including)
Atheme Atheme 6.0.8 (including) 6.0.8 (including)
Atheme Atheme 6.0.9 (including) 6.0.9 (including)
Atheme-services Ubuntu hardy *
Atheme-services Ubuntu lucid *
Atheme-services Ubuntu upstream *

References