A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesnt exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Linux-pam | Linux-pam | 1.5.0 (including) | 1.5.1 (excluding) |
Pam | Ubuntu | trusty | * |