Vulnerability Details : CVE-2017-12197
It was found that libpam4j up to and including 1.8 did not properly validate user accounts when authenticating. A user with a valid password for a disabled account would be able to bypass security restrictions and possibly access sensitive information.
Vulnerability category: Input validation
Products affected by CVE-2017-12197
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:libpam4j_project:libpam4j:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-12197
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-12197
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2017-12197
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-12197
-
https://access.redhat.com/errata/RHSA-2017:2905
RHSA-2017:2905 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2017/11/msg00008.html
[SECURITY] [DLA 1165-1] libpam4j security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:2904
RHSA-2017:2904 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=1503103
1503103 – (CVE-2017-12197) CVE-2017-12197 libpam4j: Account check bypassIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2017:2906
RHSA-2017:2906 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2017/dsa-4025
Debian -- Security Information -- DSA-4025-1 libpam4jThird Party Advisory
Jump to