Yubico pam-u2f 1.0.7 Log File File Descriptor information disclosure

EntryeditHistoryDiffjsonxmlCTI

A vulnerability has been found in Yubico pam-u2f 1.0.7 and classified as critical. This vulnerability affects an unknown function of the component Log File. There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Timeline

The analysis of the timeline helps to identify the required approach and handling of single vulnerabilities and vulnerability collections. This overview makes it possible to see less important slices and more severe hotspots at a glance. Initiating immediate vulnerability response and prioritizing of issues is possible.

User

Field

Commit Conf

Approve Conf

IDCommitedUserFieldChangeRemarksModeratedReasonC
903114106/19/2020VulD...confirm_urlhttps://developers.yubico.com/pam-u2f/Release_Notes.htmldevelopers.yubico.com06/19/2020accepted100
903115406/05/2019VulD...cvss3_nvd_basescore8.1nist.gov06/05/2019accepted90
903115306/05/2019VulD...cvss3_vuldb_rcX06/05/2019accepted90
903115206/05/2019VulD...cvss3_vuldb_rlX06/05/2019accepted90
903115106/05/2019VulD...cvss3_vuldb_eX06/05/2019accepted90
903115006/05/2019VulD...cvss2_vuldb_rcND06/05/2019accepted90
903114906/05/2019VulD...cvss2_vuldb_rlND06/05/2019accepted90
903114806/05/2019VulD...cvss2_vuldb_eND06/05/2019accepted90
903114706/05/2019VulD...locationWebsite06/05/2019accepted90
903114606/05/2019VulD...seealso13593906/05/2019accepted100
903114506/05/2019VulD...cve_nvd_summaryIn Yubico pam-u2f 1.0.7, when configured with debug and a custom debug log file is set using debug_file, that file descriptor is not closed when a new process is spawned. This leads to the file descriptor being inherited into the child process; the child process can then read from and write to it. This can leak sensitive information and also, if written to, be used to fill the disk or plant misinformation.mitre.org06/05/2019accepted100
903114406/05/2019VulD...cve_assigned1558310400mitre.org06/05/2019accepted100
903114306/05/2019VulD...cveCVE-2019-12210mitre.org06/05/2019accepted100
903114206/05/2019VulD...price_0day$0-$5ksee documentation06/05/2019accepted100
903114006/05/2019VulD...urlhttps://developers.yubico.com/pam-u2f/Release_Notes.htmldevelopers.yubico.com06/05/2019accepted100
903113906/05/2019VulD...date1559606400 (06/04/2019)06/05/2019accepted100
903113806/05/2019VulD...cvss3_nvd_aNnist.gov06/05/2019accepted100
903113706/05/2019VulD...cvss3_nvd_iHnist.gov06/05/2019accepted100
903113606/05/2019VulD...cvss3_nvd_cHnist.gov06/05/2019accepted100
903113506/05/2019VulD...cvss3_nvd_sUnist.gov06/05/2019accepted100

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!