Summary
Detail | |||
---|---|---|---|
Vendor | Eyrie | First view | 2009-02-13 |
Product | Pam-krb5 | Last view | 2009-02-13 |
Version | 3.1 | Type | Application |
Update | * | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:eyrie:pam-krb5 |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
4.6 | 2009-02-13 | CVE-2009-0361 | Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations. |
6.2 | 2009-02-13 | CVE-2009-0360 | Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
50% (1) | CWE-287 | Improper Authentication |
50% (1) | CWE-264 | Permissions, Privileges, and Access Controls |
Open Source Vulnerability Database (OSVDB)
id | Description |
---|---|
54344 | Russ Allbery pam-krb5 pam_setcred KRB5CCNAME Environment Variable Arbitrary F... |
54343 | Russ Allbery pam-krb5 Kerberos Library Initialization Subversion Local Privil... |
ExploitDB Exploits
id | Description |
---|---|
8303 | pam-krb5 < 3.13 Local Privilege Escalation Exploit |
OpenVAS Exploits
id | Description |
---|---|
2009-06-05 | Name : Ubuntu USN-719-1 (libpam-krb5) File : nvt/ubuntu_719_1.nasl |
2009-05-05 | Name : HP-UX Update for PAM Kerberos HPSBUX02415 File : nvt/gb_hp_ux_HPSBUX02415.nasl |
2009-03-31 | Name : Gentoo Security Advisory GLSA 200903-39 (pam_krb5) File : nvt/glsa_200903_39.nasl |
2009-02-13 | Name : Debian Security Advisory DSA 1721-1 (libpam-krb5) File : nvt/deb_1721_1.nasl |
2009-02-13 | Name : Debian Security Advisory DSA 1722-1 (libpam-heimdal) File : nvt/deb_1722_1.nasl |
Nessus® Vulnerability Scanner
id | Description |
---|---|
2014-12-15 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-201412-08.nasl - Type: ACT_GATHER_INFO |
2009-04-23 | Name: The remote Ubuntu host is missing a security-related patch. File: ubuntu_USN-719-1.nasl - Type: ACT_GATHER_INFO |
2009-03-27 | Name: The remote Gentoo host is missing one or more security-related patches. File: gentoo_GLSA-200903-39.nasl - Type: ACT_GATHER_INFO |
2009-02-13 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1721.nasl - Type: ACT_GATHER_INFO |
2009-02-13 | Name: The remote Debian host is missing a security-related update. File: debian_DSA-1722.nasl - Type: ACT_GATHER_INFO |
2004-07-12 | Name: The remote host is missing Sun Security Patch number 112908-38 File: solaris9_112908.nasl - Type: ACT_GATHER_INFO |
2004-07-12 | Name: The remote host is missing Sun Security Patch number 115168-24 File: solaris9_x86_115168.nasl - Type: ACT_GATHER_INFO |