Vulnerability Details : CVE-2012-6140
pam_google_authenticator.c in the PAM module in Google Authenticator before 1.0 requires user-readable permissions for the secret file, which allows local users to bypass intended access restrictions and discover a shared secret via standard filesystem operations, a different vulnerability than CVE-2013-0258.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2012-6140
Probability of exploitation activity in the next 30 days: 0.04%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 6 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2012-6140
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
nvd@nist.gov |
CWE ids for CVE-2012-6140
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-6140
-
http://openwall.com/lists/oss-security/2013/04/18/10
oss-security - Re: CVE-2012-XXYY Request -- google-authenticator: Information disclosure due insecure requirement on the secrets file
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666129
#666129 - new upstream version fixes security problem with the secret file (CVE-2012-6140) - Debian Bug report logs
-
https://bugzilla.redhat.com/show_bug.cgi?id=953505
953505 – (CVE-2012-6140) CVE-2012-6140 google-authenticator: Information disclosure due insecure requirement on the secrets fileExploit
-
https://code.google.com/p/google-authenticator/source/detail?r=c3414e9857ad64e52283f3266065ef3023fc69a8
GitHub - google/google-authenticator: Open source version of Google Authenticator (except the Android app)
Products affected by CVE-2012-6140
- cpe:2.3:a:google:authenticator:*:*:*:*:*:*:*:*
- cpe:2.3:a:google:authenticator:0.87:*:*:*:*:*:*:*
- cpe:2.3:a:google:authenticator:0.86:*:*:*:*:*:*:*