Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2019-12210

Published: Jun 04, 2019 | Modified: Aug 24, 2020
CVSS 3.x
8.1
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS 2.x
5.5 MEDIUM
AV:N/AC:L/Au:S/C:P/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2019-12210
CWEhttps://cwe.mitre.org/data/definitions/.html

In Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.

Affected Software

Name Vendor Start Version End Version
Pam-u2f Yubico 1.0.7 (including) 1.0.7 (including)
Pam-u2f Ubuntu bionic *
Pam-u2f Ubuntu cosmic *
Pam-u2f Ubuntu disco *
Pam-u2f Ubuntu esm-apps/bionic *
Pam-u2f Ubuntu esm-apps/xenial *
Pam-u2f Ubuntu trusty *
Pam-u2f Ubuntu xenial *

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use