Vulnerability Details : CVE-2019-12209
Yubico pam-u2f 1.0.7 attempts parsing of the configured authfile (default $HOME/.config/Yubico/u2f_keys) as root (unless openasuser was enabled), and does not properly verify that the path lacks symlinks pointing to other files on the system owned by root. If the debug option is enabled in the PAM configuration, part of the file contents of a symlink target will be logged, possibly revealing sensitive information.
Products affected by CVE-2019-12209
- cpe:2.3:a:yubico:pam-u2f:1.0.7:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-12209
1.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-12209
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-12209
-
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-12209
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZCGU6UQLI3ZTW3UYCTMQW7VDL5M4LCWR/
[SECURITY] Fedora 29 Update: pam-u2f-1.0.8-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://developers.yubico.com/pam-u2f/Release_Notes.html
Release NotesRelease Notes;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5FOR4ADC356JPCHAJI5UXZORLC3VNBPS/
[SECURITY] Fedora 30 Update: pam-u2f-1.0.8-1.fc30 - package-announce - Fedora Mailing-Lists
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00012.html
[security-announce] openSUSE-SU-2019:1708-1: moderate: Security update f
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00018.html
[security-announce] openSUSE-SU-2019:1725-1: moderate: Security update f
-
https://github.com/Yubico/pam-u2f/commit/7db3386fcdb454e33a3ea30dcfb8e8960d4c3aa3
Drop privileges by default when opening user-related files · Yubico/pam-u2f@7db3386 · GitHubPatch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/06/05/1
oss-security - pam-u2f: CVE-2019-12210: debug_file file descriptor leak, CVE-2019-12209: symlink attack on u2f_keys leading to possible information leakMailing List;Exploit;Third Party Advisory
Jump to