Vulnerability Details CVE-2018-9275
In check_user_token in util.c in the Yubico PAM module (aka pam_yubico) 2.18 through 2.25, successful logins can leak file descriptors to the auth mapping file, which can lead to information disclosure (serial number of a device) and/or DoS (reaching the maximum number of file descriptors).
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 56.2%
CVSS Severity
CVSS v3 Score 8.2
CVSS v2 Score 6.4
References
- https://bugzilla.opensuse.org/show_bug.cgi?id=1088027
- https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba
- https://github.com/Yubico/yubico-pam/issues/136
- https://bugzilla.opensuse.org/show_bug.cgi?id=1088027
- https://github.com/Yubico/yubico-pam/commit/0f6ceabab0a8849b47f67d727aa526c2656089ba
- https://github.com/Yubico/yubico-pam/issues/136
Products affected by CVE-2018-9275
-
cpe:2.3:a:yubico:yubico_pam:*